HomeFreeBSD

rtsold: Fix validation of RDNSS options

Description

rtsold: Fix validation of RDNSS options

The header specifies the size of the option in multiples of eight bytes.
The option consists of an eight-byte header followed by one or more IPv6
addresses, so the option is invalid if the size is not equal to 1+2n for
some n>0. Check this.

The bug can cause random stack data to be formatted as an IPv6 address
and passed to resolvconf(8), but a host able to trigger the bug may also
specify arbitrary addresses this way.

Reported by: Q C <cq674350529@gmail.com>
Sponsored by: The FreeBSD Foundation

(cherry picked from commit 1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c)

Details

Provenance
markjAuthored on Mar 21 2021, 6:18 PM
Parents
rG3c2224758fc0: MFC eeb26cf52c4c51e1571253d57684c442aa79a98d:
Branches
Unknown
Tags
Unknown