proxmox-mirrors/mirror_frr
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-13 14:42:06 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,881 Commits 4 Branches 191 Tags 125 MiB
C 71.4%
Python 26.5%
Perl 0.6%
M4 0.6%
Shell 0.3%
Other 0.4%
c51443f4aa
Go to file
David Lamparter c51443f4aa ospfd: CVE-2013-2236, stack overrun in apiserver 
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers.  This leads
to an exploitable stack overflow.

For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option

If either of these does not hold, the relevant code is not executed and
the issue does not get triggered.

Since the issue occurs on receiving large LSAs (larger than 1488 bytes),
it is possible for this to happen during normal operation of a network.
In particular, if there is an OSPF router with a large number of
interfaces, the Router-LSA of that router may exceed 1488 bytes and
trigger this, leading to an ospfd crash.

For an attacker to exploit this, s/he must be able to inject valid LSAs
into the OSPF domain.  Any best-practice protection measure (using
crypto authentication, restricting OSPF to internal interfaces, packet
filtering protocol 89, etc.) will prevent exploitation.  On top of that,
remote (not on an OSPF-speaking network segment) attackers will have
difficulties bringing up the adjacency needed to inject a LSA.

This patch only performs minimal changes to remove the possibility of a
stack overrun.  The OSPF API in general is quite ugly and needs a
rewrite.

Reported-by: Ricky Charlet <ricky.charlet@hp.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-28 16:13:10 +02:00
babeld *: use array_size() helper macro 2012-10-25 10:15:59 -07:00
bgpd hash: force size to be a power of 2 2013-02-24 20:42:40 +01:00
doc doc: fix makeinfo errors and one warning 2013-04-09 17:04:25 +02:00
fpm fpm: Add public header for Forwarding Plane Manager 2012-11-30 21:41:17 +01:00
init build: delete .cvsignore files 2011-12-13 14:27:01 +04:00
isisd isisd: fix ipv6 metric endianness 2012-12-12 15:38:14 +01:00
lib lib/vty: register vtysh socket in server socket vector (BZ#754) 2013-04-09 22:35:29 +02:00
m4 build: fix "pragma weak" mixups 2013-02-09 03:00:12 +01:00
ospf6d *: use array_size() helper macro 2012-10-25 10:15:59 -07:00
ospfclient build: correct libtool parameter used within Makefiles 2012-09-25 05:56:00 +02:00
ospfd ospfd: CVE-2013-2236, stack overrun in apiserver 2013-07-28 16:13:10 +02:00
pkgsrc build: delete .cvsignore files 2011-12-13 14:27:01 +04:00
ports build: delete .cvsignore files 2011-12-13 14:27:01 +04:00
redhat build: update quagga.spec.in 2013-02-23 19:43:18 +01:00
ripd ripd: correctly redistribute ifindex routes (BZ#664) 2013-04-09 22:33:19 +02:00
ripngd *: use array_size() helper macro 2012-10-25 10:15:59 -07:00
solaris build: delete .cvsignore files 2011-12-13 14:27:01 +04:00
tests tests: don't build tests unless make check is run 2013-07-15 08:50:38 -04:00
tools tools: use standard interpreter path in all Perl scripts 2012-04-30 16:13:47 +02:00
vtysh vtysh: fix false lib path matching in extract.pl.in 2013-02-23 19:38:37 +01:00
watchquagga *: use array_size() helper macro 2012-10-25 10:15:59 -07:00
zebra zebra: use SO_RCVBUFFORCE for netlink socket 2013-02-23 18:19:24 +01:00
.gitignore testzebra: pragma weak: detect systems with weak alias and provide alternative 2013-01-11 21:50:06 +01:00
AUTHORS Initial revision 2002-12-13 20:15:29 +00:00
bootstrap.sh autoreconf -i 2007-02-06 19:28:28 +00:00
buildtest.sh tests: add DejaGNU framework 2013-04-14 16:01:05 +02:00
ChangeLog [trivia] Make 'make dist' happy about ChangeLog expunge 2008-08-23 08:36:42 +01:00
configure.ac tests: DejaGNU libzebra 2013-04-14 16:01:19 +02:00
COPYING Initial revision 2002-12-13 20:15:29 +00:00
COPYING.LIB Initial revision 2002-12-13 20:15:29 +00:00
HACKING.pending HACKING.pending: Add Quagga-RE details 2012-03-02 11:56:38 +00:00
HACKING.tex HACKING.tex: Change to a LaTeX version of HACKING 2012-03-08 16:14:13 +00:00
INSTALL.quagga.txt doc: Modernize INSTALL.quagga.txt. 2013-07-15 10:17:06 -04:00
Makefile.am build: fix dist tarball 2012-12-13 11:04:37 +01:00
NEWS doc: update NEWS for 0.99.22 changes 2013-02-01 17:55:05 +01:00
README 2004-11-12 Paul Jakma <paul@dishone.st> 2004-11-12 10:30:21 +00:00
README.NetBSD Omit --opaque-lsa from build (now default). 2011-06-28 15:05:05 -04:00
REPORTING-BUGS Update for git and emphasize asking for good reports. 2010-05-05 07:51:26 -04:00
SERVICES 2607/tcp is already used by ospfapi. 2003-12-23 10:42:45 +00:00
stamp-h.in Initial revision 2002-12-13 20:15:29 +00:00
TODO doc: update TODO for ospf6d work & bgp multipath 2013-04-16 11:56:11 +02:00
update-autotools * README.NetBSD: use update-autotools instead of autoreconf 2007-02-02 16:52:38 +00:00

README 

Quagga is free software that manages various IPv4 and IPv6 routing
protocols.

Currently Quagga supports BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1,
RIPv2, and RIPng as well as very early support for IS-IS.
  
See the file INSTALL.quagga.txt for building and installation instructions.
  
See the file REPORTING-BUGS to report bugs.
  
Quagga is free software. See the file COPYING for copying conditions.