From feca2bedf702bb85f6a218b5282dd61142b2bbd8 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Fri, 19 Jul 2024 09:57:57 +0300 Subject: [PATCH] - libndp: valid route information option length --- ...alid-route-information-option-length.patch | 44 +++++++++++++++++++ SPECS/libndp.spec | 9 +++- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0008-libndp-valid-route-information-option-length.patch diff --git a/SOURCES/0008-libndp-valid-route-information-option-length.patch b/SOURCES/0008-libndp-valid-route-information-option-length.patch new file mode 100644 index 0000000..15c9129 --- /dev/null +++ b/SOURCES/0008-libndp-valid-route-information-option-length.patch @@ -0,0 +1,44 @@ +From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Wed, 5 Jun 2024 11:57:43 +0800 +Subject: [PATCH] libndp: valid route information option length + +RFC 4191 specifies that the Route Information Option Length should be 1, 2, +or 3, depending on the Prefix Length. A malicious node could potentially +trigger a buffer overflow and crash the tool by sending an IPv6 router +advertisement message containing the "Route Information" option with a +"Length" field larger than 3. + +To address this, add a check on the length field. + +Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)") +Reported-by: Evgeny Vereshchagin +Suggested-by: Felix Maurer +Signed-off-by: Hangbin Liu +Signed-off-by: Jiri Pirko +--- + libndp/libndp.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/libndp/libndp.c b/libndp/libndp.c +index 6314717..72ec92e 100644 +--- a/libndp/libndp.c ++++ b/libndp/libndp.c +@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data) + */ + if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2) + return false; ++ ++ /* The Length field is 1, 2, or 3 depending on the Prefix Length. ++ * If Prefix Length is greater than 64, then Length must be 3. ++ * If Prefix Length is greater than 0, then Length must be 2 or 3. ++ * If Prefix Length is zero, then Length must be 1, 2, or 3. ++ */ ++ if (ri->nd_opt_ri_len > 3 || ++ (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) || ++ (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1)) ++ return false; ++ + return true; + } + diff --git a/SPECS/libndp.spec b/SPECS/libndp.spec index 7b44ec7..d41c330 100644 --- a/SPECS/libndp.spec +++ b/SPECS/libndp.spec @@ -1,6 +1,6 @@ Name: libndp Version: 1.7 -Release: 6%{?dist} +Release: 7%{?dist}.alma.1 Summary: Library for Neighbor Discovery Protocol Group: System Environment/Libraries License: LGPLv2+ @@ -14,6 +14,9 @@ Patch4: 0004-libndp-fix-nd_msg-typo-when-setting-target-address.patch Patch5: 0005-ndptool-add-D-dest-support.patch Patch6: 0006-ndptool-fix-potential-memory-leak-caused-by-strdup.patch Patch7: 0007-libndp-ndptool-use-poll-instead-of-select.patch +# Patches were taken from: +# https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af +Patch8: 0008-libndp-valid-route-information-option-length.patch %description This package contains a library which provides a wrapper @@ -38,6 +41,7 @@ necessary for developing programs using libndp. %patch5 -p1 -b .ndptool_add_D_dest_support %patch6 -p1 -b .ndptool_fix_potential_memory_leak %patch7 -p1 -b .ndptool_use_poll +%patch8 -p1 -b .valid_route_info %build %configure --disable-static @@ -63,6 +67,9 @@ find $RPM_BUILD_ROOT -name \*.la -delete %{_libdir}/pkgconfig/*.pc %changelog +* Fri Jul 19 2024 Eduard Abdullin - 1.7-7.alma.1 +- libndp: valid route information option length + * Mon Apr 26 2021 Hangbin Liu - 1.7-6 - Bump the version number due to conflict with (rhbz 1937721)