)]}' { "commit": "cfb1fae25f8c092e0d17073eaf7bd428ce1cd546", "tree": "60162a121a7898dc20e9a18ec12d3dc88edf1e61", "parents": [ "ef9bc88981570ef8ea744f0ab96730d192328a49" ], "author": { "name": "David Lamparter", "email": "equinox@opensourcerouting.org", "time": "Wed Aug 31 13:31:16 2016 +0200" }, "committer": { "name": "Paul Jakma", "email": "paul.jakma@hpe.com", "time": "Mon Oct 17 17:41:36 2016 +0100" }, "message": "zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245)\n\nThe IPv6 RA code also receives ICMPv6 RS and RA messages.\nUnfortunately, by bad coding practice, the buffer size specified on\nreceiving such messages mixed up 2 constants that in fact have\ndifferent values.\n\nThe code itself has:\n #define RTADV_MSG_SIZE 4096\nWhile BUFSIZ is system-dependent, in my case (x86_64 glibc):\n /usr/include/_G_config.h:#define _G_BUFSIZ 8192\n /usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ\n /usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ\n\nFreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them\nhave BUFSIZ \u003d\u003d 1024.\n\nAs the latter is passed to the kernel on recvmsg(), it\u0027s possible to\noverwrite 4kB of stack -- with ICMPv6 packets that can be globally sent\nto any of the system\u0027s addresses (using fragmentation to get to 8k).\n\n(The socket has filters installed limiting this to RS and RA packets,\nbut does not have a filter for source address or TTL.)\n\nIssue discovered by trying to test other stuff, which randomly caused\nthe stack to be smaller than 8kB in that code location, which then\ncauses the kernel to report EFAULT (Bad address).\n\nSigned-off-by: David Lamparter \u003cequinox@opensourcerouting.org\u003e\nReviewed-by: Donald Sharp \u003csharpd@cumulusnetworks.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "d4ef1b885ae851d340926ba22d54c2e575e9d03a", "old_mode": 33188, "old_path": "zebra/rtadv.c", "new_id": "2f62714d81db32a0fdb0e049c7aed7cdd8ceb19d", "new_mode": 33188, "new_path": "zebra/rtadv.c" } ] }