rpms / libndp

Clone
Source Code
GIT

Blame SOURCES/0002-libndb-reject-redirect-and-router-advertisements-fro.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   f596615e7c5f01282b3f5ebc90a956760f76e57e
  2.   SOURCES
  3.   0002-libndb-reject-redirect-and-router-advertisements-fro.patch
Blob History Raw
2ff4c2 
From b05d91c33f5d679aa3aab190d52f9cdf3189cffb Mon Sep 17 00:00:00 2001
2ff4c2 
From: Lubomir Rintel <lkundrak@v3.sk>
2ff4c2 
Date: Thu, 21 Apr 2016 19:40:52 +0200
2ff4c2 
Subject: [PATCH 2/2] libndb: reject redirect and router advertisements from
2ff4c2 
 non-link-local
2ff4c2
2ff4c2 
RFC4861 suggests that these messages should only originate from
2ff4c2 
link-local addresses in 6.1.2 (RA) and 8.1. (redirect):
2ff4c2
2ff4c2 
Mitigates CVE-2016-3698.
2ff4c2
2ff4c2 
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2ff4c2 
---
2ff4c2 
 libndp/libndp.c | 14 +++++++++++++-
2ff4c2 
 1 file changed, 13 insertions(+), 1 deletion(-)
2ff4c2
2ff4c2 
diff --git a/libndp/libndp.c b/libndp/libndp.c
2ff4c2 
index 2b85651..f817ad6 100644
2ff4c2 
--- a/libndp/libndp.c
2ff4c2 
+++ b/libndp/libndp.c
2ff4c2 
@@ -333,6 +333,7 @@ struct ndp_msg_type_info {
2ff4c2 
 	uint8_t raw_type;
2ff4c2 
 	size_t raw_struct_size;
2ff4c2 
 	void (*addrto_adjust)(struct in6_addr *addr);
2ff4c2 
+	bool (*addrto_validate)(struct in6_addr *addr);
2ff4c2 
 };
2ff4c2
2ff4c2 
 static void ndp_msg_addrto_adjust_all_nodes(struct in6_addr *addr)
2ff4c2 
@@ -359,6 +360,11 @@ static void ndp_msg_addrto_adjust_all_routers(struct in6_addr *addr)
2ff4c2 
 	addr->s6_addr32[3] = htonl(0x2);
2ff4c2 
 }
2ff4c2
2ff4c2 
+static bool ndp_msg_addrto_validate_link_local(struct in6_addr *addr)
2ff4c2 
+{
2ff4c2 
+	return IN6_IS_ADDR_LINKLOCAL (addr);
2ff4c2 
+}
2ff4c2 
+
2ff4c2 
 static struct ndp_msg_type_info ndp_msg_type_info_list[] =
2ff4c2 
 {
2ff4c2 
 	[NDP_MSG_RS] = {
2ff4c2 
@@ -371,6 +377,7 @@ static struct ndp_msg_type_info ndp_msg_type_info_list[] =
2ff4c2 
 		.strabbr = "RA",
2ff4c2 
 		.raw_type = ND_ROUTER_ADVERT,
2ff4c2 
 		.raw_struct_size = sizeof(struct nd_router_advert),
2ff4c2 
+		.addrto_validate = ndp_msg_addrto_validate_link_local,
2ff4c2 
 	},
2ff4c2 
 	[NDP_MSG_NS] = {
2ff4c2 
 		.strabbr = "NS",
2ff4c2 
@@ -387,6 +394,7 @@ static struct ndp_msg_type_info ndp_msg_type_info_list[] =
2ff4c2 
 		.strabbr = "R",
2ff4c2 
 		.raw_type = ND_REDIRECT,
2ff4c2 
 		.raw_struct_size = sizeof(struct nd_redirect),
2ff4c2 
+		.addrto_validate = ndp_msg_addrto_validate_link_local,
2ff4c2 
 	},
2ff4c2 
 };
2ff4c2
2ff4c2 
@@ -418,7 +426,11 @@ static bool ndp_msg_check_valid(struct ndp_msg *msg)
2ff4c2
2ff4c2 
 	if (len < ndp_msg_type_info(msg_type)->raw_struct_size)
2ff4c2 
 		return false;
2ff4c2 
-	return true;
2ff4c2 
+
2ff4c2 
+	if (ndp_msg_type_info(msg_type)->addrto_validate)
2ff4c2 
+		return ndp_msg_type_info(msg_type)->addrto_validate(&msg->addrto);
2ff4c2 
+	else
2ff4c2 
+		return true;
2ff4c2 
 }
2ff4c2
2ff4c2 
 static struct ndp_msg *ndp_msg_alloc(void)
2ff4c2 
--
2ff4c2 
2.5.5
2ff4c2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation