Merge pull request #3693 from chiragshah6/ospf_vrf_dev

ospfd: address CVE-2017-3224
This commit is contained in:
Russ White 2019-02-05 11:25:30 -05:00 committed by GitHub
commit c9b046adda
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -2098,10 +2098,22 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph,
if (current == NULL
|| (ret = ospf_lsa_more_recent(current, lsa)) < 0) {
/* CVE-2017-3224 */
if (current && (lsa->data->ls_seqnum ==
htonl(OSPF_MAX_SEQUENCE_NUMBER)
&& !IS_LSA_MAXAGE(lsa))) {
zlog_debug(
"Link State Update[%s]: has Max Seq but not MaxAge. Dropping it",
dump_lsa_key(lsa));
DISCARD_LSA(lsa, 4);
continue;
}
/* Actual flooding procedure. */
if (ospf_flood(oi->ospf, nbr, current, lsa)
< 0) /* Trap NSSA later. */
DISCARD_LSA(lsa, 4);
DISCARD_LSA(lsa, 5);
continue;
}
@ -2158,7 +2170,7 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph,
oi->ls_ack,
ospf_lsa_lock(lsa));
DISCARD_LSA(lsa, 5);
DISCARD_LSA(lsa, 6);
} else
/* Acknowledge the receipt of the LSA by sending a
Link State Acknowledgment packet back out the
@ -2166,7 +2178,7 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph,
interface. */
{
ospf_ls_ack_send(nbr, lsa);
DISCARD_LSA(lsa, 6);
DISCARD_LSA(lsa, 7);
}
}
@ -2183,7 +2195,7 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph,
if (IS_LSA_MAXAGE(current)
&& current->data->ls_seqnum
== htonl(OSPF_MAX_SEQUENCE_NUMBER)) {
DISCARD_LSA(lsa, 7);
DISCARD_LSA(lsa, 8);
}
/* Otherwise, as long as the database copy has not been
sent in a
@ -2206,7 +2218,7 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph,
ospf_ls_upd_send_lsa(
nbr, current,
OSPF_SEND_PACKET_DIRECT);
DISCARD_LSA(lsa, 8);
DISCARD_LSA(lsa, 9);
}
}
}