File bnc721968_4.patch of Package radvd.import5316

Overview Repositories Revisions Requests Users Attributes Meta

File bnc721968_4.patch of Package radvd.import5316

References: CVE-2011-3604, bnc#721968
commit 7de1b9abf87b747ee2611c0d2a94dfeee79878b4
Author: Vasiliy Kulikov <segoon@openwall.com>
Date:   Tue Oct 4 00:35:57 2011 -0700

process_ra() has numerous missed len checks.  It leads to buffer
    overreads.

Index: radvd-1.3/process.c
===================================================================
--- radvd-1.3.orig/process.c	2011-10-19 12:17:27.000000000 +0200
+++ radvd-1.3/process.c	2011-10-19 12:20:31.000000000 +0200
@@ -308,6 +308,8 @@ process_ra(struct Interface *iface, unsi
 		{
 		case ND_OPT_MTU:
 			mtu = (struct nd_opt_mtu *)opt_str;
+			if (len < sizeof(*mtu))
+				return;
 
 			if (iface->AdvLinkMTU && (ntohl(mtu->nd_opt_mtu_mtu) != iface->AdvLinkMTU))
 			{
@@ -317,6 +319,8 @@ process_ra(struct Interface *iface, unsi
 			break;
 		case ND_OPT_PREFIX_INFORMATION:
 			pinfo = (struct nd_opt_prefix_info *) opt_str;
+			if (len < sizeof(*pinfo))
+				return;
 			preferred = ntohl(pinfo->nd_opt_pi_preferred_time);
 			valid = ntohl(pinfo->nd_opt_pi_valid_time);
 			
@@ -371,6 +375,8 @@ process_ra(struct Interface *iface, unsi
 			break;
 		case ND_OPT_RDNSS_INFORMATION:
 			rdnssinfo = (struct nd_opt_rdnss_info_local *) opt_str;
+			if (len < sizeof(*rdnssinfo))
+				return;
 			count = rdnssinfo->nd_opt_rdnssi_len;
 			
 			/* Check the RNDSS addresses received */

Places

File bnc721968_4.patch of Package radvd.import5316

Places