[Midnightbsd-cvs] src [6994] U stable/0.5/sys/netinet6/nd6_rtr.c: 0.5.11 RELEASE

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Tue Apr 7 21:35:46 EDT 2015 

Revision: 6994
          http://svnweb.midnightbsd.org/src/?rev=6994
Author:   laffer1
Date:     2015-04-07 21:35:45 -0400 (Tue, 07 Apr 2015)
Log Message:
-----------
0.5.11 RELEASE

Fix two security vulnerabilities:

The previous fix for IGMP had an overflow issue. This has been corrected.

ipv6: The Neighbor Discover Protocol allows a local router to advertise a
suggested Current Hop Limit value of a link, which will replace
Current Hop Limit on an interface connected to the link on the MidnightBSD
system.

Obtained from: FreeBSD

Modified Paths:
--------------
    stable/0.5/UPDATING
    stable/0.5/sys/conf/newvers.sh
    stable/0.5/sys/netinet/igmp.c
    stable/0.5/sys/netinet6/nd6_rtr.c

Property Changed:
----------------
    stable/0.5/sys/netinet6/nd6_nbr.c
    stable/0.5/sys/netinet6/nd6_rtr.c

Modified: stable/0.5/UPDATING
===================================================================
--- stable/0.5/UPDATING	2015-04-08 01:29:54 UTC (rev 6993)
+++ stable/0.5/UPDATING	2015-04-08 01:35:45 UTC (rev 6994)
@@ -1,5 +1,17 @@
 Updating Information for MidnightBSD users.
 
+20150407:
+	0.5.11 RELEASE
+
+	Fix two security vulnerabilities:
+
+	The previous fix for IGMP had an overflow issue. This has been corrected.
+
+	ipv6: The Neighbor Discover Protocol allows a local router to advertise a
+	suggested Current Hop Limit value of a link, which will replace
+	Current Hop Limit on an interface connected to the link on the MidnightBSD
+	system.
+
 20150320:
 	OpenSSL CVE-2015-0209 and CVE-2015-0288
 

Modified: stable/0.5/sys/conf/newvers.sh
===================================================================
--- stable/0.5/sys/conf/newvers.sh	2015-04-08 01:29:54 UTC (rev 6993)
+++ stable/0.5/sys/conf/newvers.sh	2015-04-08 01:35:45 UTC (rev 6994)
@@ -32,7 +32,7 @@
 # $MidnightBSD$
 
 TYPE="MidnightBSD"
-REVISION="0.5.10"
+REVISION="0.5.11"
 BRANCH="RELEASE"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}

Modified: stable/0.5/sys/netinet/igmp.c
===================================================================
--- stable/0.5/sys/netinet/igmp.c	2015-04-08 01:29:54 UTC (rev 6993)
+++ stable/0.5/sys/netinet/igmp.c	2015-04-08 01:35:45 UTC (rev 6994)
@@ -1533,7 +1533,6 @@
 				struct igmpv3 *igmpv3;
 				uint16_t igmpv3len;
 				uint16_t nsrc;
-				int srclen;
 
 				IGMPSTAT_INC(igps_rcv_v3_queries);
 				igmpv3 = (struct igmpv3 *)igmp;
@@ -1541,8 +1540,8 @@
 				 * Validate length based on source count.
 				 */
 				nsrc = ntohs(igmpv3->igmp_numsrc);
-				srclen = sizeof(struct in_addr) * nsrc;
-				if (nsrc * sizeof(in_addr_t) > srclen) {
+				if (nsrc * sizeof(in_addr_t) >
+				    UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
 					IGMPSTAT_INC(igps_rcv_tooshort);
 					return;
 				}
@@ -1551,7 +1550,7 @@
 				 * this scope.
 				 */
 				igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
-				    srclen;
+				    sizeof(struct in_addr) * nsrc;
 				if ((m->m_flags & M_EXT ||
 				     m->m_len < igmpv3len) &&
 				    (m = m_pullup(m, igmpv3len)) == NULL) {

Index: stable/0.5/sys/netinet6/nd6_nbr.c
===================================================================
--- stable/0.5/sys/netinet6/nd6_nbr.c	2015-04-08 01:29:54 UTC (rev 6993)
+++ stable/0.5/sys/netinet6/nd6_nbr.c	2015-04-08 01:35:45 UTC (rev 6994)

Property changes on: stable/0.5/sys/netinet6/nd6_nbr.c
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.7
\ No newline at end of property
Modified: stable/0.5/sys/netinet6/nd6_rtr.c
===================================================================
--- stable/0.5/sys/netinet6/nd6_rtr.c	2015-04-08 01:29:54 UTC (rev 6993)
+++ stable/0.5/sys/netinet6/nd6_rtr.c	2015-04-08 01:35:45 UTC (rev 6994)
@@ -296,8 +296,16 @@
 	}
 	if (nd_ra->nd_ra_retransmit)
 		ndi->retrans = ntohl(nd_ra->nd_ra_retransmit);
-	if (nd_ra->nd_ra_curhoplimit)
-		ndi->chlim = nd_ra->nd_ra_curhoplimit;
+	if (nd_ra->nd_ra_curhoplimit) {
+		if (ndi->chlim < nd_ra->nd_ra_curhoplimit)
+			ndi->chlim = nd_ra->nd_ra_curhoplimit;
+		else if (ndi->chlim != nd_ra->nd_ra_curhoplimit) {
+			log(LOG_ERR, "RA with a lower CurHopLimit sent from "
+			    "%s on %s (current = %d, received = %d). "
+			    "Ignored.\n", ip6_sprintf(ip6bufs, &ip6->ip6_src),
+			    if_name(ifp), ndi->chlim, nd_ra->nd_ra_curhoplimit);
+		}
+	}
 	dr = defrtrlist_update(&dr0);
     }
 


Property changes on: stable/0.5/sys/netinet6/nd6_rtr.c
___________________________________________________________________
Deleted: cvs2svn:cvs-rev
## -1 +0,0 ##
-1.7
\ No newline at end of property

More information about the Midnightbsd-cvs mailing list