From 7c7bfe3bb517d5367a69e6003dafcc121dbc1e14 Mon Sep 17 00:00:00 2001
From: mgb01105731 <mgb01105731@alibaba-inc.com>
Date: Tue, 25 Jun 2024 17:43:19 +0800
Subject: [PATCH] CVE-2024-5564

---
 CVE-2024-5564.patch | 44 ++++++++++++++++++++++++++++++++++++++++++++
 libndp.spec         |  9 +++++++--
 2 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2024-5564.patch

diff --git a/CVE-2024-5564.patch b/CVE-2024-5564.patch
new file mode 100644
index 0000000..15c9129
--- /dev/null
+++ b/CVE-2024-5564.patch
@@ -0,0 +1,44 @@
+From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Wed, 5 Jun 2024 11:57:43 +0800
+Subject: [PATCH] libndp: valid route information option length
+
+RFC 4191 specifies that the Route Information Option Length should be 1, 2,
+or 3, depending on the Prefix Length. A malicious node could potentially
+trigger a buffer overflow and crash the tool by sending an IPv6 router
+advertisement message containing the "Route Information" option with a
+"Length" field larger than 3.
+
+To address this, add a check on the length field.
+
+Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)")
+Reported-by: Evgeny Vereshchagin <evverx@gmail.com>
+Suggested-by: Felix Maurer <fmaurer@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+---
+ libndp/libndp.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/libndp/libndp.c b/libndp/libndp.c
+index 6314717..72ec92e 100644
+--- a/libndp/libndp.c
++++ b/libndp/libndp.c
+@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data)
+ 	 */
+ 	if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2)
+ 		return false;
++
++	/* The Length field is 1, 2, or 3 depending on the Prefix Length.
++	 * If Prefix Length is greater than 64, then Length must be 3.
++	 * If Prefix Length is greater than 0, then Length must be 2 or 3.
++	 * If Prefix Length is zero, then Length must be 1, 2, or 3.
++	 */
++	if (ri->nd_opt_ri_len > 3 ||
++	    (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) ||
++	    (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1))
++		return false;
++
+ 	return true;
+ }
+ 
diff --git a/libndp.spec b/libndp.spec
index 9fb348f..c6f35c3 100644
--- a/libndp.spec
+++ b/libndp.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 Name: libndp
 Version: 1.8
 Release: %{anolis_release}%{?dist}
@@ -7,6 +7,8 @@ License: LGPLv2+
 URL: http://www.libndp.org/
 Source: http://www.libndp.org/files/libndp-%{version}.tar.gz
 
+Patch0: CVE-2024-5564.patch
+
 BuildRequires:  gcc
 BuildRequires: make
 %description
@@ -23,7 +25,7 @@ The libndp-devel package contains the header files and libraries
 necessary for developing programs using libndp.
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 %configure --disable-static
@@ -52,6 +54,9 @@ find $RPM_BUILD_ROOT -name \*.la -delete
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Tue Jun 25 2024 mgb01105731 <mgb01105731@alibaba-inc.com> - 1.8-3
+- CVE-2024-5564
+
 * Mon Oct 24 2022 mgb01105731 <mgb01105731@alibaba-inc.com> - 1.8-2
 - optimise spec file
 
-- 
Gitee