HomeFreeBSD
Diffusion FreeBSD src repository 31f8a7f31c86

rtsold: Fix validation of RDNSS options
31f8a7f31c86
Actions

Description

rtsold: Fix validation of RDNSS options

The header specifies the size of the option in multiples of eight bytes.
The option consists of an eight-byte header followed by one or more IPv6
addresses, so the option is invalid if the size is not equal to 1+2n for
some n>0. Check this.

The bug can cause random stack data to be formatted as an IPv6 address
and passed to resolvconf(8), but a host able to trigger the bug may also
specify arbitrary addresses this way.

Reported by: Q C <cq674350529@gmail.com>
Sponsored by: The FreeBSD Foundation

(cherry picked from commit 1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c)

Details

Provenance
markjAuthored on Mar 21 2021, 6:18 PM
Parents
rG98bb0d48c1d0: wpa: import fix for P2P provision discovery processing vulnerability
Branches
Unknown
Tags
Unknown

Changes (1)

PathSize
usr.sbin/
rtsold/

rG31f8a7f31c86

View Options

usr.sbin/rtsold/rtsol.c

Loading...