mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
libndp: Patch CVE-2024-5564
Pick https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af.patch Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
9a24b76798
commit
31d7500290
@@ -0,0 +1,48 @@
|
|||||||
|
From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hangbin Liu <liuhangbin@gmail.com>
|
||||||
|
Date: Wed, 5 Jun 2024 11:57:43 +0800
|
||||||
|
Subject: [PATCH] libndp: valid route information option length
|
||||||
|
|
||||||
|
RFC 4191 specifies that the Route Information Option Length should be 1, 2,
|
||||||
|
or 3, depending on the Prefix Length. A malicious node could potentially
|
||||||
|
trigger a buffer overflow and crash the tool by sending an IPv6 router
|
||||||
|
advertisement message containing the "Route Information" option with a
|
||||||
|
"Length" field larger than 3.
|
||||||
|
|
||||||
|
To address this, add a check on the length field.
|
||||||
|
|
||||||
|
Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)")
|
||||||
|
Reported-by: Evgeny Vereshchagin <evverx@gmail.com>
|
||||||
|
Suggested-by: Felix Maurer <fmaurer@redhat.com>
|
||||||
|
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
|
||||||
|
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
|
||||||
|
|
||||||
|
CVE: CVE-2024-5564
|
||||||
|
Upstream-Status: Backport [https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af]
|
||||||
|
Signed-off-by: Peter Marko <peter.marko@siemens.com>
|
||||||
|
---
|
||||||
|
libndp/libndp.c | 11 +++++++++++
|
||||||
|
1 file changed, 11 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libndp/libndp.c b/libndp/libndp.c
|
||||||
|
index 6314717..72ec92e 100644
|
||||||
|
--- a/libndp/libndp.c
|
||||||
|
+++ b/libndp/libndp.c
|
||||||
|
@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data)
|
||||||
|
*/
|
||||||
|
if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2)
|
||||||
|
return false;
|
||||||
|
+
|
||||||
|
+ /* The Length field is 1, 2, or 3 depending on the Prefix Length.
|
||||||
|
+ * If Prefix Length is greater than 64, then Length must be 3.
|
||||||
|
+ * If Prefix Length is greater than 0, then Length must be 2 or 3.
|
||||||
|
+ * If Prefix Length is zero, then Length must be 1, 2, or 3.
|
||||||
|
+ */
|
||||||
|
+ if (ri->nd_opt_ri_len > 3 ||
|
||||||
|
+ (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) ||
|
||||||
|
+ (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1))
|
||||||
|
+ return false;
|
||||||
|
+
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
@@ -4,6 +4,7 @@ LICENSE = "LGPL-2.1-only"
|
|||||||
LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
|
LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
|
||||||
|
|
||||||
SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \
|
SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \
|
||||||
|
file://CVE-2024-5564.patch \
|
||||||
"
|
"
|
||||||
# tag for v1.8
|
# tag for v1.8
|
||||||
SRCREV = "009ce9cd9b950ffa1f4f94c9436027b936850d0c"
|
SRCREV = "009ce9cd9b950ffa1f4f94c9436027b936850d0c"
|
||||||
|
|||||||
Reference in New Issue
Block a user