Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions SPECS/dhcpcd/CVE-2026-14258.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
From 7fdeb81886d9be679db3dfe10982e62579356a59 Mon Sep 17 00:00:00 2001
From: Roy Marples <roy@marples.name>
Date: Sat, 7 Dec 2024 10:25:44 +0000
Subject: [PATCH] IPv6: Discard NA packets with a zero length option

As per RFC 4861 4.6.

Fixes #415.

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/NetworkConfiguration/dhcpcd/commit/75289ca54211481d21b0c915db98dd733b30794f.patch
---
src/ipv6nd.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/ipv6nd.c b/src/ipv6nd.c
index 75655ab..3aaccf3 100644
--- a/src/ipv6nd.c
+++ b/src/ipv6nd.c
@@ -1138,6 +1138,12 @@ ipv6nd_handlera(struct dhcpcd_ctx *ctx,
bool new_ia;
#endif

+#define FREE_RAP(rap) \
+ if (new_rap) \
+ ipv6nd_removefreedrop_ra(rap, 0, 0); \
+ else \
+ ipv6nd_free_ra(rap); \
+
if (ifp == NULL || RS_STATE(ifp) == NULL) {
#ifdef DEBUG_RS
logdebugx("RA for unexpected interface from %s", sfrom);
@@ -1294,8 +1300,10 @@ ipv6nd_handlera(struct dhcpcd_ctx *ctx,
memcpy(&ndo, p, sizeof(ndo));
olen = (size_t)ndo.nd_opt_len * 8;
if (olen == 0) {
+ /* RFC4681 4.6 says we MUST discard this ND packet. */
logerrx("%s: zero length option", ifp->name);
- break;
+ FREE_RAP(rap);
+ return;
}
if (olen > len) {
logerrx("%s: option length exceeds message",
@@ -1319,10 +1327,7 @@ ipv6nd_handlera(struct dhcpcd_ctx *ctx,
else
logwarnx("%s: reject RA (option %d) from %s",
ifp->name, ndo.nd_opt_type, rap->sfrom);
- if (new_rap)
- ipv6nd_removefreedrop_ra(rap, 0, 0);
- else
- ipv6nd_free_ra(rap);
+ FREE_RAP(rap);
return;
}

@@ -1573,10 +1578,7 @@ ipv6nd_handlera(struct dhcpcd_ctx *ctx,
{
logwarnx("%s: reject RA (no option %s) from %s",
ifp->name, dho->var, rap->sfrom);
- if (new_rap)
- ipv6nd_removefreedrop_ra(rap, 0, 0);
- else
- ipv6nd_free_ra(rap);
+ FREE_RAP(rap);
return;
}
}
@@ -1657,6 +1659,7 @@ nodhcp6:

/* Expire should be called last as the rap object could be destroyed */
ipv6nd_expirera(ifp);
+#undef FREE_RAP
}

bool
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/dhcpcd/dhcpcd.spec
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: A minimalistic network configuration daemon with DHCPv4, rdisc and DHCPv6 support
Name: dhcpcd
Version: 10.0.8
Release: 3%{?dist}
Release: 4%{?dist}
License: BSD-2-Clause AND ISC AND MIT
Url: https://github.com/NetworkConfiguration/%{name}
Source0: https://github.com/NetworkConfiguration/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Expand All @@ -12,6 +12,7 @@ Patch0: CVE-2026-56114.patch
Patch1: CVE-2026-56116.patch
Patch2: CVE-2026-56117.patch
Patch3: CVE-2026-56113.patch
Patch4: CVE-2026-14258.patch
Group: System Environment/Base
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand Down Expand Up @@ -79,6 +80,9 @@ install -d %{buildroot}%{_sharedstatedir}/%{_name}
%{_sharedstatedir}/%{name}

%changelog
* Fri Jul 03 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 10.0.8-4
- Patch for CVE-2026-14258

* Mon Jun 29 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 10.0.8-3
- Patch for CVE-2026-56113

Expand Down
Loading