[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCHv2 4/3] a last minute change I forgot to add



I forgot that I was going to add in the following at the suggestion of
David Woodhouse (the original reporter of the CVE) in this comment
of the BZ:
   
  https://bugzilla.redhat.com/show_bug.cgi?id=874702#c14
   
It adds checking for the deprecated ("but still really useful")
FEC0::/10 range of IPv6 addresses.
   
I plan to squash the virsocketaddr.c change into 2/3, and the
bridge_driver.c change into 3/3 before pushing.


diff --git a/src/util/virsocketaddr.c b/src/util/virsocketaddr.c
index 2d39458..11cc706 100644
--- a/src/util/virsocketaddr.c
+++ b/src/util/virsocketaddr.c
@@ -218,7 +218,9 @@ virSocketAddrIsPrivate(const virSocketAddrPtr addr)
                (val & 0xFF000000) == ((10L  << 24)));
 
     case AF_INET6:
-        return (addr->data.inet6.sin6_addr.s6_addr[0] & 0xFC) == 0xFC;
+        return ((addr->data.inet6.sin6_addr.s6_addr[0] & 0xFC) == 0xFC ||
+                ((addr->data.inet6.sin6_addr.s6_addr[0] & 0xFF) == 0xFE &&
+                 (addr->data.inet6.sin6_addr.s6_addr[1] & 0xC0) == 0xC0));
     }
     return false;
 }


diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index f6bdaf1..9a291d4 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -707,7 +707,7 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
                 goto cleanup;
             /* also part of CVE 2012-3411 - if the host's version of
              * dnsmasq doesn't have --bind-dynamic, only allow listening on
-             * private/local IP addresses (see RFC1918/RFC4193)
+             * private/local IP addresses (see RFC1918/RFC3484/RFC4193)
              */
             if (!virSocketAddrIsPrivate(&tmpipdef->address)) {
                 unsigned long version = dnsmasqCapsGetVersion(caps);
@@ -719,7 +719,7 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
                                  "for safe operation on a publicly
routable subnet "
                                  "(see CVE-2012-3411). You must either
upgrade dnsmasq, "
                                  "or use a private/local subnet range
for this network "
-                                 "(as described in RFC1918/RFC4193)."),
ipaddr,
+                                 "(as described in
RFC1918/RFC3484/RFC4193)."), ipaddr,
                                (int)version / 1000000, (int)(version %
1000000) / 1000);
                 goto cleanup;
             }


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]