HomeFreeBSD

rtsold: Fix validation of RDNSS options

Description

rtsold: Fix validation of RDNSS options

The header specifies the size of the option in multiples of eight bytes.
The option consists of an eight-byte header followed by one or more IPv6
addresses, so the option is invalid if the size is not equal to 1+2n for
some n>0. Check this.

The bug can cause random stack data to be formatted as an IPv6 address
and passed to resolvconf(8), but a host able to trigger the bug may also
specify arbitrary addresses this way.

Reported by: Q C <cq674350529@gmail.com>
Sponsored by: The FreeBSD Foundation

(cherry picked from commit 1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c)

Details

Provenance
markjAuthored on Mar 21 2021, 6:18 PM
Parents
rG98bb0d48c1d0: wpa: import fix for P2P provision discovery processing vulnerability
Branches
Unknown
Tags
Unknown