zebra: stack overrun in IPv6 RA receive code (CVE ##TBA##)

The IPv6 RA code also receives ICMPv6 RS and RA messages.
Unfortunately, by bad coding practice, the buffer size specified on
receiving such messages mixed up 2 constants that in fact have different
values.

The code itself has:
 #define RTADV_MSG_SIZE 4096
While BUFSIZ is system-dependent, in my case (x86_64 glibc):
 /usr/include/_G_config.h:#define _G_BUFSIZ 8192
 /usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ
 /usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ

As the latter is passed to the kernel on recvmsg(), it's possible to
overwrite 4kB of stack -- with ICMPv6 packets that can be globally sent
to any of the system's addresses (using fragmentation to get to 8k).

(The socket has filters installed limiting this to RS and RA packets,
but does not have a filter for source address or TTL.)

Issue discovered by trying to test other stuff, which randomly caused
the stack to be smaller than 8kB in that code location, which then
causes the kernel to report EFAULT (Bad address).

Ticket: CM-12687
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com>
(cherry picked from commit 6a98e6a916c18bb130430d1dcbd9f23a17ac97bd)

1 files changed, 1 insertions, 1 deletions

diff --git a/zebra/rtadv.c b/zebra/rtadv.c
index 8333d2e08..54614a232 100644
--- a/zebra/rtadv.c
+++ b/zebra/rtadv.c
@@ -619,7 +619,7 @@ rtadv_read (struct thread *thread)
   /* Register myself. */
   rtadv_event (zns, RTADV_READ, sock);
 
-  len = rtadv_recv_packet (zns, sock, buf, BUFSIZ, &from, &ifindex, &hoplimit);
+  len = rtadv_recv_packet (zns, sock, buf, sizeof (buf), &from, &ifindex, &hoplimit);
 
   if (len < 0) 
     {