On 2022-03-21 10:25 -06, Florian Obser <flor...@cvs.openbsd.org> wrote: > CVSROOT: /cvs > Module name: src > Changes by: flor...@cvs.openbsd.org 2022/03/21 10:25:47 > > Modified files: > sbin/slaacd : engine.c frontend.c slaacd.h > usr.sbin/slaacctl: slaacctl.c > > Log message: > Prevent crash of unprivileged engine process (pledged stdio). > > The length field of a DNS label in the DNS search list option is an 8 > bit unsigned value. parse_dnssl() treats the search list option as an > array of char, which are signed on most archs. When we read this value > into an int variable it gets sign extended, allowing it to bypass > sanity checks and eventually we pass it as the length to memcpy which > treats it as a huge unsigned value leading to a heap overflow. > > An easy fix would be change the signature of parse_dnssl to > parse_dnssl(uint8_t* data, int datalen). > > However, the DNS search list option is unused and the function fails > to check if the parsed value is a valid domain name. The function is > also getting in the way of future work so it's best to just delete it. > > The problem was found and reported by qualys, thanks! > > OK bluhm >
Unfortunately there was a misunderstanding, this problem was found and reported by Francisco Falcon of Quarkslab. I'm very sorry for the misattribution.
