On Nov 16, 2016, at 10:05 AM, Paul Jakma <p...@jakma.org> wrote: > On Tue, 15 Nov 2016, Alexis Rosen wrote: > >> As far as I can tell, this is an editing error of some sort, and in fact you >> can NOT trigger the issue simply by having an IPv6 address reachable with an >> ICMP. > > Ah, what's the basis for that? I looked at the code, and that security claim > seemed possible.
ISTM that the bug is in code which allocates memory to hold contents of a received RA, so if you can't get RAs on the box, you'll never try to allocate a too-small amount of memory. RSes as well? However, given the difficulty/CPU cost of blocking obscured ICMPv6 packets (see for example RFC7113), maybe drawing the distinction between different types of ICMPs isn't all that useful in a practical security context. >> Later in the advisory, it says: > >>> Usage of Quagga without running the 'zebra' daemon, or no >>> IPv6 neighbor-discovery are not affected. >> >> A quick look at the code also suggests this is so, but my familiarity with >> this code is basically nil, and it would be very easy for me to get this >> wrong. > > The code concerned is all the zebra daemon, so that's correct. The code that > reads the message is only enabled if the zebra RA/ND feature is. > > Note, you could have the kernel IPv6 ND/SLAC enabled, and be fine - it's > about the zebra feature. That's also not 100% clear. Yes. /a _______________________________________________ Quagga-dev mailing list Quagga-dev@lists.quagga.net https://lists.quagga.net/mailman/listinfo/quagga-dev