CVSROOT: /cvs
Module name: src
Changes by: flor...@cvs.openbsd.org 2022/03/21 10:25:47
Modified files:
sbin/slaacd : engine.c frontend.c slaacd.h
usr.sbin/slaacctl: slaacctl.c
Log message:
Prevent crash of unprivileged engine process (pledged stdio).
The length field of a DNS label in the DNS search list option is an 8
bit unsigned value. parse_dnssl() treats the search list option as an
array of char, which are signed on most archs. When we read this value
into an int variable it gets sign extended, allowing it to bypass
sanity checks and eventually we pass it as the length to memcpy which
treats it as a huge unsigned value leading to a heap overflow.
An easy fix would be change the signature of parse_dnssl to
parse_dnssl(uint8_t* data, int datalen).
However, the DNS search list option is unused and the function fails
to check if the parsed value is a valid domain name. The function is
also getting in the way of future work so it's best to just delete it.
The problem was found and reported by qualys, thanks!
OK bluhm
