diff options
author | Denis Ovsienko <infrastation@yandex.ru> | 2011-09-26 11:18:02 +0200 |
---|---|---|
committer | Denis Ovsienko <infrastation@yandex.ru> | 2011-09-26 16:46:54 +0200 |
commit | 717750433839762d23a5f8d88fe0b4d57c8d490a (patch) | |
tree | aea292ef6dab658197d1df6c9a5bf3f3925013ad /ospfd/ospf_packet.c | |
parent | ospfd: CVE-2011-3325 part 1 (OSPF header underrun) (diff) | |
download | frr-717750433839762d23a5f8d88fe0b4d57c8d490a.tar.xz frr-717750433839762d23a5f8d88fe0b4d57c8d490a.zip |
ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)
This vulnerability (CERT-FI #514838) was reported by CROSS project.
The error is reproducible only when ospfd debugging is enabled:
* debug ospf packet all
* debug ospf zebra
When incoming packet header type field is set to 0x0a, ospfd will crash.
* ospf_packet.c
* ospf_verify_header(): add type field check
* ospf_read(): perform input checks early
Diffstat (limited to 'ospfd/ospf_packet.c')
-rw-r--r-- | ospfd/ospf_packet.c | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index 57278788d..151ed3280 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -2321,6 +2321,13 @@ ospf_verify_header (struct stream *ibuf, struct ospf_interface *oi, return -1; } + /* Valid OSPFv2 packet types are 1 through 5 inclusive. */ + if (ospfh->type < 1 || ospfh->type > 5) + { + zlog_warn ("interface %s: invalid packet type %u", IF_NAME (oi), ospfh->type); + return -1; + } + /* Check Area ID. */ if (!ospf_check_area_id (oi, ospfh)) { @@ -2448,6 +2455,17 @@ ospf_read (struct thread *thread) /* associate packet with ospf interface */ oi = ospf_if_lookup_recv_if (ospf, iph->ip_src, ifp); + /* Verify header fields before any further processing. */ + ret = ospf_verify_header (ibuf, oi, iph, ospfh); + if (ret < 0) + { + if (IS_DEBUG_OSPF_PACKET (0, RECV)) + zlog_debug ("ospf_read[%s]: Header check failed, " + "dropping.", + inet_ntoa (iph->ip_src)); + return ret; + } + /* If incoming interface is passive one, ignore it. */ if (oi && OSPF_IF_PASSIVE_STATUS (oi) == OSPF_IF_PASSIVE) { @@ -2557,20 +2575,6 @@ ospf_read (struct thread *thread) zlog_debug ("-----------------------------------------------------"); } - /* Some header verification. */ - ret = ospf_verify_header (ibuf, oi, iph, ospfh); - if (ret < 0) - { - if (IS_DEBUG_OSPF_PACKET (ospfh->type - 1, RECV)) - { - zlog_debug ("ospf_read[%s/%s]: Header check failed, " - "dropping.", - ospf_packet_type_str[ospfh->type], - inet_ntoa (iph->ip_src)); - } - return ret; - } - stream_forward_getp (ibuf, OSPF_HEADER_SIZE); /* Adjust size to message length. */ |