 |
| Etusivu |  |
CERT-FIPL 313 ViestintävirastoItämerenkatu 3 A |
CERT-FI Vulnerability Advisory on NetBSDVersion Information There is a programming error leading to 'supervisor trap integer divide fault' and stopping of the NetBSD kernel when it receives malformed ICMPv6 MLD query. The problem occurs when NetBSD receives ICMPv6 MLD-QUERY packet which has Maximum-Response-Delay field set to value 0x0001 (We have verified that the fault occurs also with values 0x0002 - 0x0009). The fault occurs in function mld_input() (in src/sys/netinet6/mld6.c), when timeout value is calculated: mld_timerresid(in6m) > (u_long)timer) { in6m->in6m_timer = arc4random() % (int)(((long)timer * hz) / 1000); mld_starttimer(in6m); The 'timer' variable contains the anomalious value from the MLD query received and it causes the (int)(((long)timer * hz)/1000) statement to have value 0. This in turn triggers the integer divide fault.
Vendor Statements The issue is covered in the advisory ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-011.txt.asc KAME Some recent KAME code has been found vulnerable Juniper Unknown Apple This issue does not affect shipping versions of Mac OS X. FreeBSD The bug was present in the source tree and has been fixed. However, neither i386, pc98, amd64 or sparc64 were affected in the currently supported branches and default configuration.
Contact Information Email: Telephone: Fax :
|
|
