Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Mar 2021 13:33:48 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 31f8a7f31c86 - stable/11 - rtsold: Fix validation of RDNSS options
Message-ID:  <202103241333.12ODXm1B025172@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch stable/11 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=31f8a7f31c8622833a7750de79617573f8e6a521

commit 31f8a7f31c8622833a7750de79617573f8e6a521
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-03-21 18:18:10 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-03-24 13:31:36 +0000

    rtsold: Fix validation of RDNSS options
    
    The header specifies the size of the option in multiples of eight bytes.
    The option consists of an eight-byte header followed by one or more IPv6
    addresses, so the option is invalid if the size is not equal to 1+2n for
    some n>0.  Check this.
    
    The bug can cause random stack data to be formatted as an IPv6 address
    and passed to resolvconf(8), but a host able to trigger the bug may also
    specify arbitrary addresses this way.
    
    Reported by:    Q C <cq674350529@gmail.com>
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c)
---
 usr.sbin/rtsold/rtsol.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/rtsold/rtsol.c b/usr.sbin/rtsold/rtsol.c
index 5324cce9de30..cce131f88f3a 100644
--- a/usr.sbin/rtsold/rtsol.c
+++ b/usr.sbin/rtsold/rtsol.c
@@ -416,13 +416,19 @@ rtsol_input(int s)
 		case ND_OPT_RDNSS:
 			rdnss = (struct nd_opt_rdnss *)raoptp;
 
-			/* Optlen sanity check (Section 5.3.1 in RFC 6106) */
-			if (rdnss->nd_opt_rdnss_len < 3) {
+			/*
+			 * The option header is 8 bytes long and each address
+			 * occupies 16 bytes, so the option length must be
+			 * greater than or equal to 24 bytes and an odd multiple
+			 * of 8 bytes.  See section 5.1 in RFC 6106.
+			 */
+			if (rdnss->nd_opt_rdnss_len < 3 ||
+			    rdnss->nd_opt_rdnss_len % 2 == 0) {
 				warnmsg(LOG_INFO, __func__,
-		    			"too short RDNSS option"
-					"in RA from %s was ignored.",
-					inet_ntop(AF_INET6, &from.sin6_addr,
-					    ntopbuf, sizeof(ntopbuf)));
+				    "too short RDNSS option in RA from %s "
+				    "was ignored.",
+				inet_ntop(AF_INET6, &from.sin6_addr, ntopbuf,
+				    sizeof(ntopbuf)));
 				break;
 			}
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202103241333.12ODXm1B025172>