Hey Petr, Your analysis is much appreciated! Thank you.
Lonnie > On Apr 2, 2022, at 10:01 AM, Petr Menšík <pemen...@redhat.com> wrote: > > Hi Lonnie, > > I made just quick evaluation, but it does not seem possible. It happens > during creating a reply to dhcp message. ra-only ranges should not > create DHCP range, which would accept incoming message. It should log > message "no address range available for DHCPv6 request" followed by some > detail. If it does so, then it avoids function where only it may happen. > > If no DHCP6 messages are involved, this vulnerability cannot be > triggered. ra-only should only broadcast its prefix(es) to end stations > without accepting messages from them. It should be safe. > > Regards, > Petr > > On 4/1/22 16:37, Lonnie Abelbeck wrote: >>> On Mar 31, 2022, at 2:04 PM, Petr Menšík <pemen...@redhat.com> wrote: >>> >>> Possible vulnerability were found in latest dnsmasq. It were found with >>> help of oss-fuzz Google project by me and short after that independently >>> also by Richard Johnson of Trellix Threat Labs. >>> >>> It is affected only by DHCPv6 requests, which could be crafted to modify >>> already freed memory. Red Hat security assigned this vulnerability >>> CVE-2022-0934. >> Are dnsmasq IPv6 configs *only* using "ra-only" (ex.): >> -- >> dhcp-range=...,ra-only,64,24h >> -- >> Immune from CVE-2022-0934 ? >> >> Lonnie >> > -- > Petr Menšík > Software Engineer > Red Hat, http://www.redhat.com/ > email: pemen...@redhat.com > PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB > > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
