From 16290f50e9f9adb7f0e1ef1f5b5078e705c2dff5 Mon Sep 17 00:00:00 2001 From: Ronan Pigott Date: Mon, 3 Jul 2023 00:36:04 -0700 Subject: [PATCH 1/2] ndisc: clear ndisc captive portal value on bogus zero-len option This value was freed but erroneously never cleared, leading to use-after-free. Fixes: 9747955d2d60 ("ndisc: parse RFC8910 captive portal ipv6ra option") --- src/network/networkd-ndisc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c index da5312c5ff4..025deeff900 100644 --- a/src/network/networkd-ndisc.c +++ b/src/network/networkd-ndisc.c @@ -734,7 +734,7 @@ static int ndisc_router_process_captive_portal(Link *link, sd_ndisc_router *rt) return r; if (len == 0) { - mfree(link->ndisc_captive_portal); + link->ndisc_captive_portal = mfree(link->ndisc_captive_portal); return 0; } From 8231286fafa32d9aab83fc0459a659c885921ee2 Mon Sep 17 00:00:00 2001 From: Ronan Pigott Date: Mon, 3 Jul 2023 03:07:57 -0700 Subject: [PATCH 2/2] ndisc: reject malformed captive portal URI with EBADMSG This allows the correct, gracious, error handling to follow up in the ndisc handler. Otherwise, an internal error is assumed and the interface disabled. Fixes: 9747955d2d60 ("ndisc: parse RFC8910 captive portal ipv6ra option") --- src/network/networkd-ndisc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c index 025deeff900..8115595dc5c 100644 --- a/src/network/networkd-ndisc.c +++ b/src/network/networkd-ndisc.c @@ -743,7 +743,7 @@ static int ndisc_router_process_captive_portal(Link *link, sd_ndisc_router *rt) return r; if (!in_charset(captive_portal, URI_VALID)) - return -EINVAL; + return -EBADMSG; if (!streq_ptr(link->ndisc_captive_portal, captive_portal)) { free_and_replace(link->ndisc_captive_portal, captive_portal);