Date: Wed, 24 Mar 2021 13:33:48 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 31f8a7f31c86 - stable/11 - rtsold: Fix validation of RDNSS options Message-ID: <202103241333.12ODXm1B025172@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/11 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=31f8a7f31c8622833a7750de79617573f8e6a521 commit 31f8a7f31c8622833a7750de79617573f8e6a521 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-03-21 18:18:10 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-03-24 13:31:36 +0000 rtsold: Fix validation of RDNSS options The header specifies the size of the option in multiples of eight bytes. The option consists of an eight-byte header followed by one or more IPv6 addresses, so the option is invalid if the size is not equal to 1+2n for some n>0. Check this. The bug can cause random stack data to be formatted as an IPv6 address and passed to resolvconf(8), but a host able to trigger the bug may also specify arbitrary addresses this way. Reported by: Q C <cq674350529@gmail.com> Sponsored by: The FreeBSD Foundation (cherry picked from commit 1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c) --- usr.sbin/rtsold/rtsol.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c index 5324cce9de30..cce131f88f3a 100644 --- a/usr.sbin/rtsold/rtsol.c +++ b/usr.sbin/rtsold/rtsol.c @@ -416,13 +416,19 @@ rtsol_input(int s) case ND_OPT_RDNSS: rdnss = (struct nd_opt_rdnss *)raoptp; - /* Optlen sanity check (Section 5.3.1 in RFC 6106) */ - if (rdnss->nd_opt_rdnss_len < 3) { + /* + * The option header is 8 bytes long and each address + * occupies 16 bytes, so the option length must be + * greater than or equal to 24 bytes and an odd multiple + * of 8 bytes. See section 5.1 in RFC 6106. + */ + if (rdnss->nd_opt_rdnss_len < 3 || + rdnss->nd_opt_rdnss_len % 2 == 0) { warnmsg(LOG_INFO, __func__, - "too short RDNSS option" - "in RA from %s was ignored.", - inet_ntop(AF_INET6, &from.sin6_addr, - ntopbuf, sizeof(ntopbuf))); + "too short RDNSS option in RA from %s " + "was ignored.", + inet_ntop(AF_INET6, &from.sin6_addr, ntopbuf, + sizeof(ntopbuf))); break; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202103241333.12ODXm1B025172>