rtsold: Fix validation of RDNSS options
The header specifies the size of the option in multiples of eight bytes.
The option consists of an eight-byte header followed by one or more IPv6
addresses, so the option is invalid if the size is not equal to 1+2n for
some n>0. Check this.
The bug can cause random stack data to be formatted as an IPv6 address
and passed to resolvconf(8), but a host able to trigger the bug may also
specify arbitrary addresses this way.
Approved by: re (cperciva)
Reported by: Q C <cq674350529@gmail.com>
Sponsored by: The FreeBSD Foundation
(cherry picked from commit
1af332a7d8f86b6fcc1f0f575fe5b06021b54f4c)
(cherry picked from commit
e4bdf7ac2a32ba1f2402e06360e476ec804210e7)
projects / FreeBSD / FreeBSD.git / commit