Sync from SUSE:SLFO:Main libndp revision 53b0446310035f18c7c19e468357df97

2024-08-02 15:15:04 +02:00
parent e05aa5e131
commit 7d5b795a38
3 changed files with 57 additions and 2 deletions
--- a/libndp-CVE-2024-5564.patch
+++ b/libndp-CVE-2024-5564.patch
@@ -0,0 +1,47 @@
+From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Wed, 5 Jun 2024 11:57:43 +0800
+Subject: [PATCH] libndp: valid route information option length
+
+RFC 4191 specifies that the Route Information Option Length should be 1, 2,
+or 3, depending on the Prefix Length. A malicious node could potentially
+trigger a buffer overflow and crash the tool by sending an IPv6 router
+advertisement message containing the "Route Information" option with a
+"Length" field larger than 3.
+
+To address this, add a check on the length field.
+
+Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)")
+Reported-by: Evgeny Vereshchagin <evverx@gmail.com>
+Suggested-by: Felix Maurer <fmaurer@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+---
+ libndp/libndp.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/libndp/libndp.c b/libndp/libndp.c
+index 6314717..72ec92e 100644
+--- a/libndp/libndp.c
+++ b/libndp/libndp.c
+@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data)
+ 	 */
+ 	if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2)
+ 		return false;
+
+	/* The Length field is 1, 2, or 3 depending on the Prefix Length.
+	 * If Prefix Length is greater than 64, then Length must be 3.
+	 * If Prefix Length is greater than 0, then Length must be 2 or 3.
+	 * If Prefix Length is zero, then Length must be 1, 2, or 3.
+	 */
+	if (ri->nd_opt_ri_len > 3 ||
+	    (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) ||
+	    (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1))
+		return false;
+
+ 	return true;
+ }
+ 
+-- 
+2.45.0
+
--- a/libndp.changes
+++ b/libndp.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jun 27 20:52:57 UTC 2024 - Michael Gorse <mgorse@suse.com>
+
+- Add libndp-CVE-2024-5564.patch: add a check on the route
+  information option length field (bsc#1225771 CVE-2024-5564).
+
 -------------------------------------------------------------------
 Tue Jan  4 22:49:20 UTC 2022 - Dirk Müller <dmueller@suse.com>

--- a/libndp.spec
+++ b/libndp.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libndp
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,6 +24,8 @@ License:        LGPL-2.1-or-later
 Group:          Productivity/Networking/Other
 URL:            http://libndp.org/
 Source:         http://libndp.org/files/libndp-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM libndp-CVE-2024-5564.patch bsc#1225771 mgorse@suse.com -- add a check on the route information option length field.
+Patch0:         libndp-CVE-2024-5564.patch
 BuildRequires:  pkgconfig

 %description
@@ -49,7 +51,7 @@ The libndp-devel package contains the header files necessary for developing
 programs using libndp.

 %prep
-%setup -q
+%autosetup -p1

 %build
 %configure \