The slaacd background process responsible for IPv6 Stateless Address Autoconfiguration (RFC 6) in OpenBSD has a vulnerability that causes a buffer overflow when receiving a specially crafted IPv4862 router announcement (RA, Router Advertisement).
Initially, IPv6 address autoconfiguration functionality was implemented at the kernel level, but since OpenBSD 6.2 it has been moved to a separate unprivileged slaacd process. The specified process is responsible for sending RS (Router Solicitation) messages and parsing RA (Router Advertisement) responses with information about the router and network connection parameters.
In February, slaacd fixed a bug that caused a crash if 7 servers were specified in the RDNSS (Recursive DNS Servers) list. This oversight attracted the attention of independent researchers who tried to examine the slaacd code for other errors that occur when parsing fields in RA messages. The analysis showed that there is another problem in the code, which manifests itself in the processing of the DNSSL (DNS Search List) field, which includes lists of domain names and host templates for DNS.
Each name in the DNSSL list is encoded using a null delimiter and intermediate one-byte marks that determine the size of the data that follows. The vulnerability is caused by the fact that in the list parsing code, the size field is copied into a variable with a signed integer type ("len = data[pos]"). Accordingly, if a value with the highest bit set is specified in the field, this value will be perceived in the conditional operator as a negative number and the check for the maximum allowable size (βif (len > 63 || len + pos + 1 > datalen) {β) is not will work, which will result in a memcpy call with a parameter that exceeds the size of the buffer to be copied.
Source: opennet.ru