From 7d5b795a38f0db65ddaa93a496543ffcac8b4499c7743639f2f68c8b50fae3e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 2 Aug 2024 15:15:04 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main libndp revision 53b0446310035f18c7c19e468357df97 --- libndp-CVE-2024-5564.patch | 47 ++++++++++++++++++++++++++++++++++++++ libndp.changes | 6 +++++ libndp.spec | 6 +++-- 3 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 libndp-CVE-2024-5564.patch diff --git a/libndp-CVE-2024-5564.patch b/libndp-CVE-2024-5564.patch new file mode 100644 index 0000000..add615d --- /dev/null +++ b/libndp-CVE-2024-5564.patch @@ -0,0 +1,47 @@ +From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Wed, 5 Jun 2024 11:57:43 +0800 +Subject: [PATCH] libndp: valid route information option length + +RFC 4191 specifies that the Route Information Option Length should be 1, 2, +or 3, depending on the Prefix Length. A malicious node could potentially +trigger a buffer overflow and crash the tool by sending an IPv6 router +advertisement message containing the "Route Information" option with a +"Length" field larger than 3. + +To address this, add a check on the length field. + +Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)") +Reported-by: Evgeny Vereshchagin +Suggested-by: Felix Maurer +Signed-off-by: Hangbin Liu +Signed-off-by: Jiri Pirko +--- + libndp/libndp.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/libndp/libndp.c b/libndp/libndp.c +index 6314717..72ec92e 100644 +--- a/libndp/libndp.c ++++ b/libndp/libndp.c +@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data) + */ + if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2) + return false; ++ ++ /* The Length field is 1, 2, or 3 depending on the Prefix Length. ++ * If Prefix Length is greater than 64, then Length must be 3. ++ * If Prefix Length is greater than 0, then Length must be 2 or 3. ++ * If Prefix Length is zero, then Length must be 1, 2, or 3. ++ */ ++ if (ri->nd_opt_ri_len > 3 || ++ (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) || ++ (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1)) ++ return false; ++ + return true; + } + +-- +2.45.0 + diff --git a/libndp.changes b/libndp.changes index 7158c40..b800bb6 100644 --- a/libndp.changes +++ b/libndp.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jun 27 20:52:57 UTC 2024 - Michael Gorse + +- Add libndp-CVE-2024-5564.patch: add a check on the route + information option length field (bsc#1225771 CVE-2024-5564). + ------------------------------------------------------------------- Tue Jan 4 22:49:20 UTC 2022 - Dirk Müller diff --git a/libndp.spec b/libndp.spec index 2be9a92..800b518 100644 --- a/libndp.spec +++ b/libndp.spec @@ -1,7 +1,7 @@ # # spec file for package libndp # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,6 +24,8 @@ License: LGPL-2.1-or-later Group: Productivity/Networking/Other URL: http://libndp.org/ Source: http://libndp.org/files/libndp-%{version}.tar.gz +# PATCH-FIX-UPSTREAM libndp-CVE-2024-5564.patch bsc#1225771 mgorse@suse.com -- add a check on the route information option length field. +Patch0: libndp-CVE-2024-5564.patch BuildRequires: pkgconfig %description @@ -49,7 +51,7 @@ The libndp-devel package contains the header files necessary for developing programs using libndp. %prep -%setup -q +%autosetup -p1 %build %configure \