netbsd-bugs: bin/33422: rtadvd accepts invalid packets

Subject: bin/33422: rtadvd accepts invalid packets
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <martti.kuparinen@iki.fi>
List: netbsd-bugs
Date: 05/04/2006 11:25:01

>Number:         33422
>Category:       bin
>Synopsis:       rtadvd accepts invalid packets
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu May 04 11:25:00 +0000 2006
>Originator:     Martti Kuparinen
>Release:        NetBSD 3.0_STABLE
>Organization:
>Environment:
System: NetBSD p130.mydomain.com 3.0_STABLE NetBSD 3.0_STABLE (P130) #0: Fri Apr 28 07:25:35 EEST 2006 root@p130.mydomain.com:/usr/src/sys/arch/i386/compile/P130 i386
Architecture: i386
Machine: i386

>Description:

While trying to understand why our NetBSD 3.0 router fails to answer
incoming Router Solicitation (RS) messages we found out that IPF 4.1.x
is blocking RS messages if they don't contain the Source Link-Layer
Address (SLLA) option (or maybe any other option?)

We added SLLA option to packets which were sent from the unspecified
address (::) and discovered that rtadvd daemon is in fact accepting
these invalid RS packets.

>How-To-Repeat:

Send RS from unspecified address and add an SLLA option to the packet.
Please note that is not a valid packet according to RFC 2461 chapter 6.1.1.

Note how the rtadvd does not complain about this invalid packet but
happily sends a Router Advertisement (RA) back.

>Fix:

Please apply this patch to netbsd-1-6, netbsd-2, netbsd-2-0,
netbsd-3-0 and netbsd-3 branches. This problem is already fixed
in NetBSD 3.99.x.

Index: rtadvd.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/rtadvd/rtadvd.c,v
retrieving revision 1.28
diff -u -r1.28 rtadvd.c
--- rtadvd.c	14 Mar 2003 18:43:52 -0000	1.28
+++ rtadvd.c	4 May 2006 10:58:20 -0000
@@ -1228,10 +1228,10 @@
 		}
 
 		switch (hdr->nd_opt_type) {
-		case ND_OPT_SOURCE_LINKADDR:
 		case ND_OPT_TARGET_LINKADDR:
 		case ND_OPT_REDIRECTED_HEADER:
 			break;	/* we don't care about these options */
+		case ND_OPT_SOURCE_LINKADDR:
 		case ND_OPT_MTU:
 			if (ndopts->nd_opt_array[hdr->nd_opt_type]) {
 				syslog(LOG_INFO,