Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 Jul 2010 15:51:57 +0200
From: Sebastian Krahmer <krahmer@...e.de>
To: oss-security@...ts.openwall.com
Cc: yoshfuji@...ux-ipv6.org
Subject: patch for remote buffer overflows and local message spoofing in mipv6 daemon

Hi,

I tried this 2 years ago on vendor-sec and with the maintainers
at that time w/o success. I polished the patch to fit in the current commit.
The bugs were not fixed during the two years.
Can someone assign CVE(s)?

Sebastian


-- 
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.de - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)


Should apply to git.linux-ipv6.org/gitroot/mipv6-daemon.git c4a8e574785794dcc9022f8f39f087999c5f8f41

diff -ruN mipv6-daemon.orig/src/ha.c mipv6-daemon/src/ha.c
--- mipv6-daemon.orig/src/ha.c	2010-07-06 14:50:34.000000000 +0200
+++ mipv6-daemon/src/ha.c	2010-07-06 14:53:00.000000000 +0200
@@ -104,6 +104,8 @@
 
 		if (opt[0] == ND_OPT_PREFIX_INFORMATION) {
 			struct nd_opt_prefix_info *p;
+			if (olen < sizeof(struct nd_opt_prefix_info))
+				return;
 			p = (struct nd_opt_prefix_info *)opt;
 			if (p->nd_opt_pi_prefix_len > 128)
 				return;
@@ -117,6 +119,8 @@
 		} else if (opt[0] == ND_OPT_HOME_AGENT_INFO &&
 			   ra->nd_ra_flags_reserved & ND_RA_FLAG_HOME_AGENT) {
 			struct nd_opt_homeagent_info *hainfo;
+			if (olen < sizeof(struct nd_opt_homeagent_info))
+				return;
 			hainfo = (struct nd_opt_homeagent_info *)opt;
 			pref = ntohs(hainfo->nd_opt_hai_preference);
 			life = ntohs(hainfo->nd_opt_hai_lifetime);
diff -ruN mipv6-daemon.orig/src/mn.c mipv6-daemon/src/mn.c
--- mipv6-daemon.orig/src/mn.c	2010-07-06 14:50:34.000000000 +0200
+++ mipv6-daemon/src/mn.c	2010-07-06 14:54:12.000000000 +0200
@@ -1646,9 +1646,10 @@
 	iif = pkt_info.ipi6_ifindex;
 	na = (struct nd_neighbor_advert *)msg;
 
-	if (iif != ifindex || 
-	    hoplimit < 255 || na->nd_na_code != 0 ||
-	    len < sizeof(struct nd_neighbor_advert) ||
+	if (iif != ifindex ||
+	    hoplimit < 255 ||
+ 	    len < sizeof(struct nd_neighbor_advert) ||
+	    na->nd_na_code != 0 ||
 	    IN6_IS_ADDR_MULTICAST(&na->nd_na_target) ||
 	    (na->nd_na_flags_reserved & ND_NA_FLAG_SOLICITED &&
 	     IN6_IS_ADDR_MULTICAST(daddr)))
diff -ruN mipv6-daemon.orig/src/movement.c mipv6-daemon/src/movement.c
--- mipv6-daemon.orig/src/movement.c	2010-07-06 14:50:34.000000000 +0200
+++ mipv6-daemon/src/movement.c	2010-07-06 14:56:44.000000000 +0200
@@ -818,6 +818,11 @@
 			 struct nlmsghdr *n, void *arg)
 {
 	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+
+	/* only accept messages from kernel */
+	if (who->nl_pid)
+		goto out;
+
 	switch (n->nlmsg_type) {
 	case RTM_NEWLINK:
 	case RTM_DELLINK:
@@ -837,6 +842,8 @@
 		/* To do: listen to changes in default and prefix routes(?) */
 		break;
 	}
+
+out:
 	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL);
 	return 0;
 }
diff -ruN mipv6-daemon.orig/src/xfrm.c mipv6-daemon/src/xfrm.c
--- mipv6-daemon.orig/src/xfrm.c	2010-07-06 14:50:34.000000000 +0200
+++ mipv6-daemon/src/xfrm.c	2010-07-06 14:57:38.000000000 +0200
@@ -1939,6 +1939,11 @@
 static int xfrm_rcv(const struct sockaddr_nl *who, struct nlmsghdr *n, void *arg)
 {
 	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+
+	/* only accept messages from kernel */
+	if (who->nl_pid)
+		goto out;
+
 	switch (n->nlmsg_type) {
 	case XFRM_MSG_ACQUIRE:
 		/* Start RO or send BRR */
@@ -1949,6 +1954,9 @@
 		parse_report(n);
 		break;
 	}
+
+
+out:
 	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, NULL);
 	return 0;
 }

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ