|
 |
cde29f3 |
From c4ea553123a5ab1bf5fab38f12a540020c08293d Mon Sep 17 00:00:00 2001
|
|
|
cde29f3 |
From: David Lamparter <equinox@opensourcerouting.org>
|
|
|
cde29f3 |
Date: Wed, 31 Aug 2016 13:31:16 +0200
|
|
|
cde29f3 |
Subject: [PATCH 4/4] zebra: stack overrun in IPv6 RA receive code
|
|
|
cde29f3 |
(CVE-2016-1245)
|
|
|
cde29f3 |
|
|
|
cde29f3 |
The IPv6 RA code also receives ICMPv6 RS and RA messages.
|
|
|
cde29f3 |
Unfortunately, by bad coding practice, the buffer size specified on
|
|
|
cde29f3 |
receiving such messages mixed up 2 constants that in fact have
|
|
|
cde29f3 |
different values.
|
|
|
cde29f3 |
|
|
|
cde29f3 |
The code itself has:
|
|
|
cde29f3 |
#define RTADV_MSG_SIZE 4096
|
|
|
cde29f3 |
While BUFSIZ is system-dependent, in my case (x86_64 glibc):
|
|
|
cde29f3 |
/usr/include/_G_config.h:#define _G_BUFSIZ 8192
|
|
|
cde29f3 |
/usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ
|
|
|
cde29f3 |
/usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ
|
|
|
cde29f3 |
|
|
|
cde29f3 |
FreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them
|
|
|
cde29f3 |
have BUFSIZ == 1024.
|
|
|
cde29f3 |
|
|
|
cde29f3 |
As the latter is passed to the kernel on recvmsg(), it's possible to
|
|
|
cde29f3 |
overwrite 4kB of stack -- with ICMPv6 packets that can be globally sent
|
|
|
cde29f3 |
to any of the system's addresses (using fragmentation to get to 8k).
|
|
|
cde29f3 |
|
|
|
cde29f3 |
(The socket has filters installed limiting this to RS and RA packets,
|
|
|
cde29f3 |
but does not have a filter for source address or TTL.)
|
|
|
cde29f3 |
|
|
|
cde29f3 |
Issue discovered by trying to test other stuff, which randomly caused
|
|
|
cde29f3 |
the stack to be smaller than 8kB in that code location, which then
|
|
|
cde29f3 |
causes the kernel to report EFAULT (Bad address).
|
|
|
cde29f3 |
|
|
|
cde29f3 |
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
|
|
|
cde29f3 |
Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com>
|
|
|
cde29f3 |
|
|
|
cde29f3 |
Cherry-picked from: cfb1fae25f8c092e0d17073eaf7bd428ce1cd546
|
|
|
cde29f3 |
Resolves: #1386110
|
|
|
cde29f3 |
---
|
|
|
cde29f3 |
zebra/rtadv.c | 2 +-
|
|
|
cde29f3 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
cde29f3 |
|
|
|
cde29f3 |
diff --git a/zebra/rtadv.c b/zebra/rtadv.c
|
|
|
cde29f3 |
index 21ca6da..973ae08 100644
|
|
|
cde29f3 |
--- a/zebra/rtadv.c
|
|
|
cde29f3 |
+++ b/zebra/rtadv.c
|
|
|
cde29f3 |
@@ -515,7 +515,7 @@ rtadv_read (struct thread *thread)
|
|
|
cde29f3 |
/* Register myself. */
|
|
|
cde29f3 |
rtadv_event (RTADV_READ, sock);
|
|
|
cde29f3 |
|
|
|
cde29f3 |
- len = rtadv_recv_packet (sock, buf, BUFSIZ, &from, &ifindex, &hoplimit);
|
|
|
cde29f3 |
+ len = rtadv_recv_packet (sock, buf, sizeof (buf), &from, &ifindex, &hoplimit);
|
|
|
cde29f3 |
|
|
|
cde29f3 |
if (len < 0)
|
|
|
cde29f3 |
{
|
|
|
cde29f3 |
--
|
|
|
cde29f3 |
2.7.4
|
|
|
cde29f3 |
|