packages/libndp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!13 fix CVE-2024-5564

Browse Source 
From: @XWwalker 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
This commit is contained in:
openeuler-ci-bot 2024-06-11 07:01:27 +00:00 committed by Gitee
commit d1b023f4eb
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 56 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
backport-CVE-2024-5564.patch Normal file
View File

@ -0,0 +1,47 @@
From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001
From: Hangbin Liu <liuhangbin@gmail.com>
Date: Wed, 5 Jun 2024 11:57:43 +0800
Subject: [PATCH] libndp: valid route information option length
RFC 4191 specifies that the Route Information Option Length should be 1, 2,
or 3, depending on the Prefix Length. A malicious node could potentially
trigger a buffer overflow and crash the tool by sending an IPv6 router
advertisement message containing the "Route Information" option with a
"Length" field larger than 3.
To address this, add a check on the length field.
Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)")
Reported-by: Evgeny Vereshchagin <evverx@gmail.com>
Suggested-by: Felix Maurer <fmaurer@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
Reference:https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af
Conflict:NA
---
libndp/libndp.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/libndp/libndp.c b/libndp/libndp.c
index 6314717..72ec92e 100644
--- a/libndp/libndp.c
+++ b/libndp/libndp.c
@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data)
*/
if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2)
return false;
+
+ /* The Length field is 1, 2, or 3 depending on the Prefix Length.
+ * If Prefix Length is greater than 64, then Length must be 3.
+ * If Prefix Length is greater than 0, then Length must be 2 or 3.
+ * If Prefix Length is zero, then Length must be 1, 2, or 3.
+ */
+ if (ri->nd_opt_ri_len > 3 ||
+ (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) ||
+ (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1))
+ return false;
+
return true;
}

10
libndp.spec
View File

@ -1,11 +1,13 @@
Name: libndp Name: libndp
Version: 1.8 Version: 1.8
Release: 2 Release: 3
Summary: Library for Neighbor Discovery Protocol Summary: Library for Neighbor Discovery Protocol
License: LGPLv2+ License: LGPLv2+
URL: http://www.libndp.org/ URL: http://www.libndp.org/
Source: http://www.libndp.org/files/libndp-%{version}.tar.gz Source: http://www.libndp.org/files/libndp-%{version}.tar.gz
Patch0: backport-CVE-2024-5564.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: make BuildRequires: make
@ -54,6 +56,12 @@ Document files for libndp.
%{_mandir}/man8/ndptool.8* %{_mandir}/man8/ndptool.8*
%changelog %changelog
* Tue Jun 11 2024 xingwei <xingwei14@h-partners.com> - 1.8-3
- Type:CVE
- ID:CVE-2024-5564
- SUG:NA
- DESC:fix CVE-2024-5564
* Fri Oct 21 2022 gaihuiying <eaglegai@163.com> - 1.8-2 * Fri Oct 21 2022 gaihuiying <eaglegai@163.com> - 1.8-2
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA