summaryrefslogtreecommitdiffstats
path: root/ospfd/ospf_packet.c
diff options
context:
space:
mode:
authorDenis Ovsienko <infrastation@yandex.ru>2011-09-26 11:18:02 +0200
committerDenis Ovsienko <infrastation@yandex.ru>2011-09-26 16:46:54 +0200
commit717750433839762d23a5f8d88fe0b4d57c8d490a (patch)
treeaea292ef6dab658197d1df6c9a5bf3f3925013ad /ospfd/ospf_packet.c
parentospfd: CVE-2011-3325 part 1 (OSPF header underrun) (diff)
downloadfrr-717750433839762d23a5f8d88fe0b4d57c8d490a.tar.xz
frr-717750433839762d23a5f8d88fe0b4d57c8d490a.zip
ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)
This vulnerability (CERT-FI #514838) was reported by CROSS project. The error is reproducible only when ospfd debugging is enabled: * debug ospf packet all * debug ospf zebra When incoming packet header type field is set to 0x0a, ospfd will crash. * ospf_packet.c * ospf_verify_header(): add type field check * ospf_read(): perform input checks early
Diffstat (limited to 'ospfd/ospf_packet.c')
-rw-r--r--ospfd/ospf_packet.c32
1 files changed, 18 insertions, 14 deletions
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 57278788d..151ed3280 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -2321,6 +2321,13 @@ ospf_verify_header (struct stream *ibuf, struct ospf_interface *oi,
return -1;
}
+ /* Valid OSPFv2 packet types are 1 through 5 inclusive. */
+ if (ospfh->type < 1 || ospfh->type > 5)
+ {
+ zlog_warn ("interface %s: invalid packet type %u", IF_NAME (oi), ospfh->type);
+ return -1;
+ }
+
/* Check Area ID. */
if (!ospf_check_area_id (oi, ospfh))
{
@@ -2448,6 +2455,17 @@ ospf_read (struct thread *thread)
/* associate packet with ospf interface */
oi = ospf_if_lookup_recv_if (ospf, iph->ip_src, ifp);
+ /* Verify header fields before any further processing. */
+ ret = ospf_verify_header (ibuf, oi, iph, ospfh);
+ if (ret < 0)
+ {
+ if (IS_DEBUG_OSPF_PACKET (0, RECV))
+ zlog_debug ("ospf_read[%s]: Header check failed, "
+ "dropping.",
+ inet_ntoa (iph->ip_src));
+ return ret;
+ }
+
/* If incoming interface is passive one, ignore it. */
if (oi && OSPF_IF_PASSIVE_STATUS (oi) == OSPF_IF_PASSIVE)
{
@@ -2557,20 +2575,6 @@ ospf_read (struct thread *thread)
zlog_debug ("-----------------------------------------------------");
}
- /* Some header verification. */
- ret = ospf_verify_header (ibuf, oi, iph, ospfh);
- if (ret < 0)
- {
- if (IS_DEBUG_OSPF_PACKET (ospfh->type - 1, RECV))
- {
- zlog_debug ("ospf_read[%s/%s]: Header check failed, "
- "dropping.",
- ospf_packet_type_str[ospfh->type],
- inet_ntoa (iph->ip_src));
- }
- return ret;
- }
-
stream_forward_getp (ibuf, OSPF_HEADER_SIZE);
/* Adjust size to message length. */