From owner-dev-commits-src-main@freebsd.org  Sun Mar 21 18:19:54 2021
Return-Path: <owner-dev-commits-src-main@freebsd.org>
Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id C7FD357ED79;
 Sun, 21 Mar 2021 18:19:54 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F3Qs65K1Qz3lQk;
 Sun, 21 Mar 2021 18:19:54 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A93441F0F8;
 Sun, 21 Mar 2021 18:19:54 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 12LIJsB7061323;
 Sun, 21 Mar 2021 18:19:54 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 12LIJsW3061321;
 Sun, 21 Mar 2021 18:19:54 GMT (envelope-from git)
Date: Sun, 21 Mar 2021 18:19:54 GMT
Message-Id: <202103211819.12LIJsW3061321@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 1af332a7d8f8 - main - rtsold: Fix validation of RDNSS options
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-main@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for the main branch of the src repository
 <dev-commits-src-main.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-main>, 
 <mailto:dev-commits-src-main-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-main/>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Help: <mailto:dev-commits-src-main-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main>, 
 <mailto:dev-commits-src-main-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Mar 2021 18:19:54 -0000

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c

commit 1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-03-21 18:18:10 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-03-21 18:19:42 +0000

    rtsold: Fix validation of RDNSS options
    
    The header specifies the size of the option in multiples of eight bytes.
    The option consists of an eight-byte header followed by one or more IPv6
    addresses, so the option is invalid if the size is not equal to 1+2n for
    some n>0.  Check this.
    
    The bug can cause random stack data to be formatted as an IPv6 address
    and passed to resolvconf(8), but a host able to trigger the bug may also
    specify arbitrary addresses this way.
    
    Reported by:    Q C <cq674350529@gmail.com>
    Sponsored by:   The FreeBSD Foundation
    MFC after:      3 days
---
 usr.sbin/rtsold/rtsol.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c
index 30027fc65ac9..76756bfd8393 100644
--- a/usr.sbin/rtsold/rtsol.c
+++ b/usr.sbin/rtsold/rtsol.c
@@ -363,13 +363,19 @@ rtsol_input(int sock)
 		case ND_OPT_RDNSS:
 			rdnss = (struct nd_opt_rdnss *)raoptp;
 
-			/* Optlen sanity check (Section 5.3.1 in RFC 6106) */
-			if (rdnss->nd_opt_rdnss_len < 3) {
+			/*
+			 * The option header is 8 bytes long and each address
+			 * occupies 16 bytes, so the option length must be
+			 * greater than or equal to 24 bytes and an odd multiple
+			 * of 8 bytes.  See section 5.1 in RFC 6106.
+			 */
+			if (rdnss->nd_opt_rdnss_len < 3 ||
+			    rdnss->nd_opt_rdnss_len % 2 == 0) {
 				warnmsg(LOG_INFO, __func__,
-		    			"too short RDNSS option"
-					"in RA from %s was ignored.",
-					inet_ntop(AF_INET6, &from.sin6_addr,
-					    ntopbuf, sizeof(ntopbuf)));
+				    "too short RDNSS option in RA from %s "
+				    "was ignored.",
+				inet_ntop(AF_INET6, &from.sin6_addr, ntopbuf,
+				    sizeof(ntopbuf)));
 				break;
 			}