diff options
| author | Chirag Shah <chirag@cumulusnetworks.com> | 2019-01-26 02:21:24 +0100 |
|---|---|---|
| committer | Chirag Shah <chirag@cumulusnetworks.com> | 2019-02-03 23:42:37 +0100 |
| commit | 76c1efd7550668a46f499bfc7cc71d00c4ac2d54 (patch) | |
| tree | 3a528ea11837b715da94069a7bb8e38ce602dee1 /ospfd/ospf_packet.c | |
| parent | Merge pull request #3714 from donaldsharp/thread_strlcpy (diff) | |
| download | frr-76c1efd7550668a46f499bfc7cc71d00c4ac2d54.tar.xz frr-76c1efd7550668a46f499bfc7cc71d00c4ac2d54.zip | |
ospfd: address CVE-2017-3224
Based on the vulnerability mentioned in 793496 an attacker can craft an
LSA with MaxSequence number wtih invalid links and not set age to MAX_AGE
so the lsa would not be flush from the database.
To address the issue, check incoming LSA is MaxSeq but Age is not set
to MAX_AGE 3600, discard the LSA from processing it.
Based on RFC-2328 , When a LSA update sequence reaches MaxSequence
number, it should be prematurely aged out from the database with age set
to MAX_AGE (3600).
Ticket:CM-18989
Reviewed By:
Testing Done:
Signed-off-by: Chirag Shah <chirag@cumulusnetworks.com>
Diffstat (limited to '')
| -rw-r--r-- | ospfd/ospf_packet.c | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index 30f5a2a80..ecc55c2ee 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -2098,10 +2098,22 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph, if (current == NULL || (ret = ospf_lsa_more_recent(current, lsa)) < 0) { + /* CVE-2017-3224 */ + if (current && (lsa->data->ls_seqnum == + htonl(OSPF_MAX_SEQUENCE_NUMBER) + && !IS_LSA_MAXAGE(lsa))) { + zlog_debug( + "Link State Update[%s]: has Max Seq but not MaxAge. Dropping it", + dump_lsa_key(lsa)); + + DISCARD_LSA(lsa, 4); + continue; + } + /* Actual flooding procedure. */ if (ospf_flood(oi->ospf, nbr, current, lsa) < 0) /* Trap NSSA later. */ - DISCARD_LSA(lsa, 4); + DISCARD_LSA(lsa, 5); continue; } @@ -2158,7 +2170,7 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph, oi->ls_ack, ospf_lsa_lock(lsa)); - DISCARD_LSA(lsa, 5); + DISCARD_LSA(lsa, 6); } else /* Acknowledge the receipt of the LSA by sending a Link State Acknowledgment packet back out the @@ -2166,7 +2178,7 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph, interface. */ { ospf_ls_ack_send(nbr, lsa); - DISCARD_LSA(lsa, 6); + DISCARD_LSA(lsa, 7); } } @@ -2183,7 +2195,7 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph, if (IS_LSA_MAXAGE(current) && current->data->ls_seqnum == htonl(OSPF_MAX_SEQUENCE_NUMBER)) { - DISCARD_LSA(lsa, 7); + DISCARD_LSA(lsa, 8); } /* Otherwise, as long as the database copy has not been sent in a @@ -2206,7 +2218,7 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph, ospf_ls_upd_send_lsa( nbr, current, OSPF_SEND_PACKET_DIRECT); - DISCARD_LSA(lsa, 8); + DISCARD_LSA(lsa, 9); } } } |