rpms/mipv6-daemon/devel mipv6-daemon-nd-opts-sanity-check.patch, NONE, 1.1 mipv6-daemon-netlink-msg-origin-check.patch, NONE, 1.1 mipv6-daemon.spec, 1.4, 1.5

Thomas Graf tgraf at fedoraproject.org
Wed Jul 14 13:03:33 UTC 2010 

Author: tgraf

Update of /cvs/pkgs/rpms/mipv6-daemon/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv29587

Modified Files:
	mipv6-daemon.spec 
Added Files:
	mipv6-daemon-nd-opts-sanity-check.patch 
	mipv6-daemon-netlink-msg-origin-check.patch 
Log Message:
- Fix CVE-2010-2522 and CVE-2010-2523 by including the patches:
  - Additional sanity checks for ND options length
  - Security fix: Check origin of netlink messages in netlink helpers.


mipv6-daemon-nd-opts-sanity-check.patch:
 ha.c |    7 ++++++-
 mn.c |    6 ++----
 2 files changed, 8 insertions(+), 5 deletions(-)

--- NEW FILE mipv6-daemon-nd-opts-sanity-check.patch ---
From: Romain Kuntz <kuntz at lsiit.u-strasbg.fr>
Date: Sat, 24 Oct 2009 23:34:32 +0000 (+0200)
Subject: Additional sanity checks for ND options length
X-Git-Url: http://www.umip.org/gitweb?p=umip.git;a=commitdiff_plain;h=3fd3941434a0ee567f874e56c53a5d0855c945e3

Additional sanity checks for ND options length
---

diff --git a/src/ha.c b/src/ha.c
index a091490..8d37af9 100644
--- a/src/ha.c
+++ b/src/ha.c
@@ -106,7 +106,8 @@ static void ha_recv_ra(const struct icmp6_hdr *ih, ssize_t len,
 		if (opt[0] == ND_OPT_PREFIX_INFORMATION) {
 			struct nd_opt_prefix_info *p;
 			p = (struct nd_opt_prefix_info *)opt;
-			if (p->nd_opt_pi_prefix_len > 128)
+
+			if (olen < sizeof(*p) || p->nd_opt_pi_prefix_len > 128)
 				return;
 			p->nd_opt_pi_valid_time = 
 				ntohl(p->nd_opt_pi_valid_time);
@@ -119,6 +120,10 @@ static void ha_recv_ra(const struct icmp6_hdr *ih, ssize_t len,
 			   ra->nd_ra_flags_reserved & ND_RA_FLAG_HOME_AGENT) {
 			struct nd_opt_homeagent_info *hainfo;
 			hainfo = (struct nd_opt_homeagent_info *)opt;
+
+			if (olen < sizeof(*hainfo))
+				return;
+
 			pref = ntohs(hainfo->nd_opt_hai_preference);
 			life = ntohs(hainfo->nd_opt_hai_lifetime);
 			flags = hainfo->nd_opt_hai_flags_reserved;
diff --git a/src/mn.c b/src/mn.c
index 4743472..cb88662 100644
--- a/src/mn.c
+++ b/src/mn.c
@@ -1815,10 +1815,8 @@ static int mn_recv_na(int fd, struct home_addr_info *hai,
 	iif = pkt_info.ipi6_ifindex;
 	na = (struct nd_neighbor_advert *)msg;
 
-	if (iif != ifindex || 
-	    hoplimit < 255 || na->nd_na_code != 0 ||
-	    len < sizeof(struct nd_neighbor_advert) ||
-	    IN6_IS_ADDR_MULTICAST(&na->nd_na_target) ||
+	if (iif != ifindex || hoplimit < 255 || len < sizeof(*na) ||
+	    na->nd_na_code != 0 || IN6_IS_ADDR_MULTICAST(&na->nd_na_target) ||
 	    (na->nd_na_flags_reserved & ND_NA_FLAG_SOLICITED &&
 	     IN6_IS_ADDR_MULTICAST(daddr)))
 		return 0;

mipv6-daemon-netlink-msg-origin-check.patch:
 libnetlink.c |   44 ++++++++++++++++++++++++++++++++++++--------
 1 file changed, 36 insertions(+), 8 deletions(-)

--- NEW FILE mipv6-daemon-netlink-msg-origin-check.patch ---
From: Arnaud Ebalard <arno at natisbad.org>
Date: Sat, 24 Oct 2009 10:11:58 +0000 (+0200)
Subject: Security fix: Check origin of netlink messages in netlink helpers.
X-Git-Url: http://www.umip.org/gitweb?p=umip.git;a=commitdiff_plain;h=0e67a61ffd37cc4e3dfa8add137a5d6cd8963a8e

Security fix: Check origin of netlink messages in netlink helpers.

Sending multicast Netlink messages requires some privileges. Sending
unicast ones can be done by common users. Then, this is up to the
receiver to filter incoming messages to verify the origin and prevent
security issues. See http://lwn.net/Articles/329266/ for more information.

As UMIP expects only kernel messages, this patch adds additional checks
where needed to verify the kernel is the emiiter of the message. Note that
this check needs to be done early (before checking if recvmsg() return
value is not 0) to prevent someone sending us an empty message and
returning.

This patch is based on an initial version by Romain.
---

diff --git a/libnetlink/libnetlink.c b/libnetlink/libnetlink.c
index e4f010e..b4a0aa5 100644
--- a/libnetlink/libnetlink.c
+++ b/libnetlink/libnetlink.c
@@ -185,6 +185,15 @@ int rtnl_dump_filter(struct rtnl_handle *rth,
 			continue;
 		}
 
+		/* Everyone can send empty messages which will led to
+		 * status == 0. Before checking if status == 0, check
+		 * the origin. Here, we only allow messages from kernel.
+		 * --arno */
+		if (nladdr.nl_pid != 0) {
+			NLDBG("Dropping non-kernel Netlink message.\n");
+			continue;
+		}
+
 		if (status == 0) {
 			NLDBG("EOF on netlink\n");
 			return -1;
@@ -287,14 +296,24 @@ int rtnl_talk(struct rtnl_handle *rtnl, struct nlmsghdr *n, pid_t peer,
 			NLDBG_SYS("OVERRUN");
 			continue;
 		}
-		if (status == 0) {
-			NLDBG("EOF on netlink\n");
-			return -1;
-		}
+
 		if (msg.msg_namelen != sizeof(nladdr)) {
 			NLDBG("sender address length == %d\n", msg.msg_namelen);
 			return -2;
 		}
+		/* Everyone can send empty messages which will led to
+		 * status == 0. Before checking if status == 0, check
+		 * the origin. --arno */
+		if (nladdr.nl_pid != peer) {
+			NLDBG("Received Netlink message from unknown peer.\n");
+			continue;
+		}
+
+		if (status == 0) {
+			NLDBG("EOF on netlink\n");
+			return -1;
+		}
+
 		for (h = (struct nlmsghdr*)buf; status >= sizeof(*h); ) {
 			int err;
 			int len = h->nlmsg_len;
@@ -391,14 +410,23 @@ int rtnl_listen(struct rtnl_handle *rtnl,
 			NLDBG_SYS("OVERRUN");
 			continue;
 		}
-		if (status == 0) {
-			NLDBG("EOF on netlink\n");
-			return -1;
-		}
 		if (msg.msg_namelen != sizeof(nladdr)) {
 			NLDBG("Sender address length == %d\n", msg.msg_namelen);
 			return -2;
 		}
+		/* Everyone can send empty messages which will led to
+		 * status == 0. Before checking if status == 0, check
+		 * the origin. Here, we only allow messages from kernel.
+		 * --arno */
+		if (nladdr.nl_pid != 0) {
+			NLDBG("Dropping non-kernel Netlink message.\n");
+			continue;
+		}
+
+		if (status == 0) {
+			NLDBG("EOF on netlink\n");
+			return -1;
+		}
 		for (h = (struct nlmsghdr*)buf; status >= sizeof(*h); ) {
 			int err;
 			int len = h->nlmsg_len;


Index: mipv6-daemon.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mipv6-daemon/devel/mipv6-daemon.spec,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- mipv6-daemon.spec	25 May 2010 13:10:27 -0000	1.4
+++ mipv6-daemon.spec	14 Jul 2010 13:03:32 -0000	1.5
@@ -1,6 +1,6 @@
 Name:		mipv6-daemon
 Version:	0.4
-Release:	4%{?dist}
+Release:	5%{?dist}
 Summary:	Mobile IPv6 (MIPv6) Daemon
 
 Group:		System Environment/Daemons
@@ -12,6 +12,8 @@ Source2:	mip6d.sysconfig
 Source3:	mip6d.conf
 Patch0:		mipv6-daemon-header-fix.patch
 Patch1:		mipv6-daemon-nemo.patch
+Patch2:		mipv6-daemon-netlink-msg-origin-check.patch
+Patch3:		mipv6-daemon-nd-opts-sanity-check.patch
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 BuildRequires:	flex bison indent
@@ -25,6 +27,8 @@ reachable while moving around in the IPv
 %setup -q -n mipv6-daemon-umip-%{version}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 %configure
@@ -70,6 +74,10 @@ fi
 %{_mandir}/man7/*
 
 %changelog
+* Wed Jul 14 2010 Thomas Graf <tgraf at, redhat.com> 0.4-5
+- Fix CVE-2010-2522 and CVE-2010-2523 by including the patches:
+  - Additional sanity checks for ND options length
+  - Security fix: Check origin of netlink messages in netlink helpers.
 * Tue May 25 2010 Thomas Graf <tgraf at, redhat.com> 0.4-4
 - Fixed initscript according to SysVInitScript guidelines:
     - Corrected usage text

More information about the scm-commits mailing list