proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-09 07:11:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)

Browse Source 
This vulnerability (CERT-FI #514838) was reported by CROSS project.

The error is reproducible only when ospfd debugging is enabled:
  * debug ospf packet all
  * debug ospf zebra
When incoming packet header type field is set to 0x0a, ospfd will crash.

* ospf_packet.c
  * ospf_verify_header(): add type field check
  * ospf_read(): perform input checks early
This commit is contained in:
Denis Ovsienko 2011-09-26 13:18:02 +04:00
parent 3d3380d4fd
commit 1f54cef38d
1 changed files with 18 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
ospfd/ospf_packet.c
View File

@ -2258,6 +2258,13 @@ ospf_verify_header (struct stream *ibuf, struct ospf_interface *oi,
return -1; return -1;
} }
/* Valid OSPFv2 packet types are 1 through 5 inclusive. */
if (ospfh->type < 1 || ospfh->type > 5)
{
zlog_warn ("interface %s: invalid packet type %u", IF_NAME (oi), ospfh->type);
return -1;
}
/* Check Area ID. */ /* Check Area ID. */
if (!ospf_check_area_id (oi, ospfh)) if (!ospf_check_area_id (oi, ospfh))
{ {
@ -2385,6 +2392,17 @@ ospf_read (struct thread *thread)
/* associate packet with ospf interface */ /* associate packet with ospf interface */
oi = ospf_if_lookup_recv_if (ospf, iph->ip_src, ifp); oi = ospf_if_lookup_recv_if (ospf, iph->ip_src, ifp);
/* Verify header fields before any further processing. */
ret = ospf_verify_header (ibuf, oi, iph, ospfh);
if (ret < 0)
{
if (IS_DEBUG_OSPF_PACKET (0, RECV))
zlog_debug ("ospf_read[%s]: Header check failed, "
"dropping.",
inet_ntoa (iph->ip_src));
return ret;
}
/* If incoming interface is passive one, ignore it. */ /* If incoming interface is passive one, ignore it. */
if (oi && OSPF_IF_PASSIVE_STATUS (oi) == OSPF_IF_PASSIVE) if (oi && OSPF_IF_PASSIVE_STATUS (oi) == OSPF_IF_PASSIVE)
{ {
@ -2494,20 +2512,6 @@ ospf_read (struct thread *thread)
zlog_debug ("-----------------------------------------------------"); zlog_debug ("-----------------------------------------------------");
} }
/* Some header verification. */
ret = ospf_verify_header (ibuf, oi, iph, ospfh);
if (ret < 0)
{
if (IS_DEBUG_OSPF_PACKET (ospfh->type - 1, RECV))
{
zlog_debug ("ospf_read[%s/%s]: Header check failed, "
"dropping.",
ospf_packet_type_str[ospfh->type],
inet_ntoa (iph->ip_src));
}
return ret;
}
stream_forward_getp (ibuf, OSPF_HEADER_SIZE); stream_forward_getp (ibuf, OSPF_HEADER_SIZE);
/* Adjust size to message length. */ /* Adjust size to message length. */