Date: Thu, 25 Mar 2021 18:38:06 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 72280d7e5734 - releng/13.0 - rtsold: Fix validation of RDNSS options Message-ID: <202103251838.12PIc6i3065998@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch releng/13.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=72280d7e5734946e2592cfd8be6895c2b3fdf46b commit 72280d7e5734946e2592cfd8be6895c2b3fdf46b Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2021-03-21 18:18:10 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-03-25 18:37:45 +0000 rtsold: Fix validation of RDNSS options The header specifies the size of the option in multiples of eight bytes. The option consists of an eight-byte header followed by one or more IPv6 addresses, so the option is invalid if the size is not equal to 1+2n for some n>0. Check this. The bug can cause random stack data to be formatted as an IPv6 address and passed to resolvconf(8), but a host able to trigger the bug may also specify arbitrary addresses this way. Approved by: re (cperciva) Reported by: Q C <cq674350529@gmail.com> Sponsored by: The FreeBSD Foundation (cherry picked from commit 1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c) (cherry picked from commit e4bdf7ac2a32ba1f2402e06360e476ec804210e7) --- usr.sbin/rtsold/rtsol.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c index 30027fc65ac9..76756bfd8393 100644 --- a/usr.sbin/rtsold/rtsol.c +++ b/usr.sbin/rtsold/rtsol.c @@ -363,13 +363,19 @@ rtsol_input(int sock) case ND_OPT_RDNSS: rdnss = (struct nd_opt_rdnss *)raoptp; - /* Optlen sanity check (Section 5.3.1 in RFC 6106) */ - if (rdnss->nd_opt_rdnss_len < 3) { + /* + * The option header is 8 bytes long and each address + * occupies 16 bytes, so the option length must be + * greater than or equal to 24 bytes and an odd multiple + * of 8 bytes. See section 5.1 in RFC 6106. + */ + if (rdnss->nd_opt_rdnss_len < 3 || + rdnss->nd_opt_rdnss_len % 2 == 0) { warnmsg(LOG_INFO, __func__, - "too short RDNSS option" - "in RA from %s was ignored.", - inet_ntop(AF_INET6, &from.sin6_addr, - ntopbuf, sizeof(ntopbuf))); + "too short RDNSS option in RA from %s " + "was ignored.", + inet_ntop(AF_INET6, &from.sin6_addr, ntopbuf, + sizeof(ntopbuf))); break; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202103251838.12PIc6i3065998>