Hi Lonnie, I made just quick evaluation, but it does not seem possible. It happens during creating a reply to dhcp message. ra-only ranges should not create DHCP range, which would accept incoming message. It should log message "no address range available for DHCPv6 request" followed by some detail. If it does so, then it avoids function where only it may happen.
If no DHCP6 messages are involved, this vulnerability cannot be triggered. ra-only should only broadcast its prefix(es) to end stations without accepting messages from them. It should be safe. Regards, Petr On 4/1/22 16:37, Lonnie Abelbeck wrote: >> On Mar 31, 2022, at 2:04 PM, Petr Menšík <pemen...@redhat.com> wrote: >> >> Possible vulnerability were found in latest dnsmasq. It were found with help >> of oss-fuzz Google project by me and short after that independently also by >> Richard Johnson of Trellix Threat Labs. >> >> It is affected only by DHCPv6 requests, which could be crafted to modify >> already freed memory. Red Hat security assigned this vulnerability >> CVE-2022-0934. > Are dnsmasq IPv6 configs *only* using "ra-only" (ex.): > -- > dhcp-range=...,ra-only,64,24h > -- > Immune from CVE-2022-0934 ? > > Lonnie > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
