Re: [libvirt] [PATCHv2 4/3] a last minute change I forgot to add
I forgot that I was going to add in the following at the suggestion of
David Woodhouse (the original reporter of the CVE) in this comment
of the BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=874702#c14
It adds checking for the deprecated ("but still really useful")
FEC0::/10 range of IPv6 addresses.
I plan to squash the virsocketaddr.c change into 2/3, and the
bridge_driver.c change into 3/3 before pushing.
diff --git a/src/util/virsocketaddr.c b/src/util/virsocketaddr.c
index 2d39458..11cc706 100644
--- a/src/util/virsocketaddr.c
+++ b/src/util/virsocketaddr.c
@@ -218,7 +218,9 @@ virSocketAddrIsPrivate(const virSocketAddrPtr addr)
(val & 0xFF000000) == ((10L << 24)));
case AF_INET6:
- return (addr->data.inet6.sin6_addr.s6_addr[0] & 0xFC) == 0xFC;
+ return ((addr->data.inet6.sin6_addr.s6_addr[0] & 0xFC) == 0xFC ||
+ ((addr->data.inet6.sin6_addr.s6_addr[0] & 0xFF) == 0xFE
&&
+ (addr->data.inet6.sin6_addr.s6_addr[1] & 0xC0) == 0xC0));
}
return false;
}
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index f6bdaf1..9a291d4 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -707,7 +707,7 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
goto cleanup;
/* also part of CVE 2012-3411 - if the host's version of
* dnsmasq doesn't have --bind-dynamic, only allow listening on
- * private/local IP addresses (see RFC1918/RFC4193)
+ * private/local IP addresses (see RFC1918/RFC3484/RFC4193)
*/
if (!virSocketAddrIsPrivate(&tmpipdef->address)) {
unsigned long version = dnsmasqCapsGetVersion(caps);
@@ -719,7 +719,7 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
"for safe operation on a publicly
routable subnet "
"(see CVE-2012-3411). You must either
upgrade dnsmasq, "
"or use a private/local subnet range
for this network "
- "(as described in RFC1918/RFC4193)."),
ipaddr,
+ "(as described in
RFC1918/RFC3484/RFC4193)."), ipaddr,
(int)version / 1000000, (int)(version %
1000000) / 1000);
goto cleanup;
}