2 files changed, 49 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch b/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch
new file mode 100644
index 0000000000..fe7ce41b87
--- /dev/null
+++ b/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch
@@ -0,0 +1,48 @@
+From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Wed, 5 Jun 2024 11:57:43 +0800
+Subject: [PATCH] libndp: valid route information option length
+RFC 4191 specifies that the Route Information Option Length should be 1, 2,
+or 3, depending on the Prefix Length. A malicious node could potentially
+trigger a buffer overflow and crash the tool by sending an IPv6 router
+advertisement message containing the "Route Information" option with a
+"Length" field larger than 3.
+To address this, add a check on the length field.
+Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)")
+Reported-by: Evgeny Vereshchagin <evverx@gmail.com>
+Suggested-by: Felix Maurer <fmaurer@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+CVE: CVE-2024-5564
+Upstream-Status: Backport [https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ libndp/libndp.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+diff --git a/libndp/libndp.c b/libndp/libndp.c
+index 6314717..72ec92e 100644
+--- a/libndp/libndp.c
+++ b/libndp/libndp.c
+@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data)
+         */
+        if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2)
+                return false;
+
+       /* The Length field is 1, 2, or 3 depending on the Prefix Length.
+        * If Prefix Length is greater than 64, then Length must be 3.
+        * If Prefix Length is greater than 0, then Length must be 2 or 3.
+        * If Prefix Length is zero, then Length must be 1, 2, or 3.
+        */
+       if (ri->nd_opt_ri_len > 3 ||
+           (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) ||
+           (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1))
+               return false;
+
+        return true;
+ }
+ 
diff --git a/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb b/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb
index 4d4d3e51cd..70d6abec1b 100644
--- a/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb
+++ b/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb
@@ -4,6 +4,7 @@ LICENSE = "LGPL-2.1-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
 SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \
+           file://CVE-2024-5564.patch \
           "
 # tag for v1.8
 SRCREV = "009ce9cd9b950ffa1f4f94c9436027b936850d0c"

diff --git a/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch b/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch new file mode 100644 index 0000000000..fe7ce41b87 --- /dev/null +++ b/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch
@@ -0,0 +1,48 @@
		1	From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001
		2	From: Hangbin Liu <liuhangbin@gmail.com>
		3	Date: Wed, 5 Jun 2024 11:57:43 +0800
		4	Subject: [PATCH] libndp: valid route information option length
		5
		6	RFC 4191 specifies that the Route Information Option Length should be 1, 2,
		7	or 3, depending on the Prefix Length. A malicious node could potentially
		8	trigger a buffer overflow and crash the tool by sending an IPv6 router
		9	advertisement message containing the "Route Information" option with a
		10	"Length" field larger than 3.
		11
		12	To address this, add a check on the length field.
		13
		14	Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)")
		15	Reported-by: Evgeny Vereshchagin <evverx@gmail.com>
		16	Suggested-by: Felix Maurer <fmaurer@redhat.com>
		17	Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
		18	Signed-off-by: Jiri Pirko <jiri@nvidia.com>
		19
		20	CVE: CVE-2024-5564
		21	Upstream-Status: Backport [https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af]
		22	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		23	---
		24	libndp/libndp.c \| 11 +++++++++++
		25	1 file changed, 11 insertions(+)
		26
		27	diff --git a/libndp/libndp.c b/libndp/libndp.c
		28	index 6314717..72ec92e 100644
		29	--- a/libndp/libndp.c
		30	+++ b/libndp/libndp.c
		31	@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data)
		32	*/
		33	if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2)
		34	return false;
		35	+
		36	+ /* The Length field is 1, 2, or 3 depending on the Prefix Length.
		37	+ * If Prefix Length is greater than 64, then Length must be 3.
		38	+ * If Prefix Length is greater than 0, then Length must be 2 or 3.
		39	+ * If Prefix Length is zero, then Length must be 1, 2, or 3.
		40	+ */
		41	+ if (ri->nd_opt_ri_len > 3 \|\|
		42	+ (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) \|\|
		43	+ (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1))
		44	+ return false;
		45	+
		46	return true;
		47	}
		48


diff --git a/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb b/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb index 4d4d3e51cd..70d6abec1b 100644 --- a/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb +++ b/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb
@@ -4,6 +4,7 @@ LICENSE = "LGPL-2.1-only"
4	LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"	4	LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
5		5
6	SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \	6	SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \
		7	file://CVE-2024-5564.patch \
7	"	8	"
8	# tag for v1.8	9	# tag for v1.8
9	SRCREV = "009ce9cd9b950ffa1f4f94c9436027b936850d0c"	10	SRCREV = "009ce9cd9b950ffa1f4f94c9436027b936850d0c"