mirror_frr/ospfd
David Lamparter c51443f4aa ospfd: CVE-2013-2236, stack overrun in apiserver
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers.  This leads
to an exploitable stack overflow.

For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option

If either of these does not hold, the relevant code is not executed and
the issue does not get triggered.

Since the issue occurs on receiving large LSAs (larger than 1488 bytes),
it is possible for this to happen during normal operation of a network.
In particular, if there is an OSPF router with a large number of
interfaces, the Router-LSA of that router may exceed 1488 bytes and
trigger this, leading to an ospfd crash.

For an attacker to exploit this, s/he must be able to inject valid LSAs
into the OSPF domain.  Any best-practice protection measure (using
crypto authentication, restricting OSPF to internal interfaces, packet
filtering protocol 89, etc.) will prevent exploitation.  On top of that,
remote (not on an OSPF-speaking network segment) attackers will have
difficulties bringing up the adjacency needed to inject a LSA.

This patch only performs minimal changes to remove the possibility of a
stack overrun.  The OSPF API in general is quite ugly and needs a
rewrite.

Reported-by: Ricky Charlet <ricky.charlet@hp.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-28 16:13:10 +02:00
..
.gitignore [administrivia] Git should ignore backup files and .loT files 2008-08-22 20:00:46 +01:00
ChangeLog.opaque.txt Initial revision 2003-02-03 16:31:16 +00:00
Makefile.am build: correct libtool parameter used within Makefiles 2012-09-25 05:56:00 +02:00
ospf_abr.c ospfd: Corrected ospfd Type-4/Type-5 ls update handling 2013-01-07 10:00:00 -08:00
ospf_abr.h 2005-09-29 Alain Ritoux <alain.ritoux@6wind.com> 2005-09-29 13:52:57 +00:00
ospf_api.c ospfd: CVE-2013-2236, stack overrun in apiserver 2013-07-28 16:13:10 +02:00
ospf_api.h 2005-05-06 Paul Jakma <paul.jakma@sun.com> 2005-05-06 21:37:42 +00:00
ospf_apiserver.c ospfd: compile warning cleanups 2013-01-07 09:59:59 -08:00
ospf_apiserver.h ospf: Fix OSPF API and ospf-te LSA refreshers to match recent API change 2011-04-13 15:13:33 +01:00
ospf_asbr.c ospfd: avoid redundant lookup in ospf_redistribute_withdraw 2011-12-06 15:02:52 +04:00
ospf_asbr.h [ospfd] CID #28, remove another ospf_lookup call - ospf_redistribute_withdraw 2006-05-12 23:02:46 +00:00
ospf_ase.c ospfd: address more trivial compiler warnings 2012-01-08 11:43:07 +00:00
ospf_ase.h 2005-05-06 Paul Jakma <paul.jakma@sun.com> 2005-05-06 21:37:42 +00:00
ospf_dump.c ospfd: introduce ospf_auth_type_str[] 2012-03-12 11:05:34 +01:00
ospf_dump.h ospfd: introduce ospf_auth_type_str[] 2012-03-12 11:05:34 +01:00
ospf_flood.c ospfd: improve fix to CVE-2011-3326 (BZ#586) 2011-11-15 20:50:48 +04:00
ospf_flood.h ospfd: Fix maxage/flush to not try flood twice, remember maxages for longer 2010-12-08 17:13:19 +00:00
ospf_ia.c [ospfd] CID #14, NULL check ospf->backbone before use, ospf_update_router_route 2006-05-12 23:04:45 +00:00
ospf_ia.h 2005-05-06 Paul Jakma <paul.jakma@sun.com> 2005-05-06 21:37:42 +00:00
ospf_interface.c ospfd: Optimize and improve SPF nexthop calculation 2012-07-25 18:07:30 +02:00
ospf_interface.h ospfd: Optimize and improve SPF nexthop calculation 2012-07-25 18:07:30 +02:00
ospf_ism.c ospfd: compile warning cleanups 2013-01-07 09:59:59 -08:00
ospf_ism.h [ospfd] Make OSPF_ISM_TIMER_OFF macro safer. 2005-11-16 19:33:22 +00:00
ospf_lsa.c ospfd: fix flooding procedure 2013-04-20 06:14:27 +02:00
ospf_lsa.h ospfd: fix flooding procedure 2013-04-20 06:14:27 +02:00
ospf_lsdb.c ospf: Convert MAX_AGE LSA list to tree 2013-01-07 09:59:43 -08:00
ospf_lsdb.h ospf: Convert MAX_AGE LSA list to tree 2013-01-07 09:59:43 -08:00
ospf_main.c ospf: fix apiserver enable 2013-01-07 09:59:46 -08:00
ospf_neighbor.c [cleanup] Convert XMALLOC/memset to XCALLOC 2009-06-12 17:07:49 +01:00
ospf_neighbor.h [ospfd] Additional NSM neighbour state change stats/information 2006-07-25 20:44:12 +00:00
ospf_network.c ospfd: compile warning cleanups 2013-01-07 09:59:59 -08:00
ospf_network.h ospfd: compile warning cleanups 2013-01-07 09:59:59 -08:00
ospf_nsm.c ospfd: compile warning cleanups 2013-01-07 09:59:59 -08:00
ospf_nsm.h ospfd: Update nsm_change_state to static scope, as it is not called from elsewhere 2013-01-07 09:59:57 -08:00
ospf_opaque.c ospfd: compile warning cleanups 2013-01-07 09:59:59 -08:00
ospf_opaque.h ospfd: Compile fix for opaque support 2011-03-22 15:23:55 +00:00
ospf_packet.c ospfd: fix flooding procedure 2013-04-20 06:14:27 +02:00
ospf_packet.h ospfd: introduce ospf_lsa_minlen[] (BZ#705) 2012-03-12 11:05:28 +01:00
ospf_route.c ospf: suppress delete using replacement 2013-01-07 09:59:40 -08:00
ospf_route.h ospfd: blackhole route removal for area range 2012-10-25 10:15:58 -07:00
ospf_routemap.c ospfd: Fixed signed/unsigned masking of negative metrics 2013-01-07 09:59:49 -08:00
ospf_snmp.c snmp: let handlers accept OID from a lesser prefix 2012-06-25 19:03:23 +02:00
ospf_snmp.h 2005-09-29 Alain Ritoux <alain.ritoux@6wind.com> 2005-09-29 16:34:30 +00:00
ospf_spf.c ospfd: restore nexthop IP for p2p interfaces 2013-04-09 22:38:04 +02:00
ospf_spf.h [ospfd] Fix SPF of virtual-links 2006-05-04 07:32:57 +00:00
ospf_te.c ospfd: Changed TE instance check to remove -Wtype-limits warning 2013-01-07 09:59:53 -08:00
ospf_te.h ospfd: Changed TE instance check to remove -Wtype-limits warning 2013-01-07 09:59:53 -08:00
ospf_vty.c ospfd: compile warning cleanups 2013-01-07 09:59:59 -08:00
ospf_vty.h 2005-05-06 Paul Jakma <paul.jakma@sun.com> 2005-05-06 21:37:42 +00:00
ospf_zebra.c ospfd: compile warning cleanups 2013-01-07 09:59:59 -08:00
ospf_zebra.h ospfd: compile warning cleanups 2013-01-07 09:59:59 -08:00
OSPF-ALIGNMENT.txt add note about alignment in LS updates due to opaque LSAs. 2004-11-17 17:59:52 +00:00
OSPF-MIB.txt spelling: s/supress/suppress/ 2004-11-05 13:24:12 +00:00
OSPF-TRAP-MIB.txt Initial revision 2002-12-13 20:15:29 +00:00
ospfd.c ospfd: compile warning cleanups 2013-01-07 09:59:59 -08:00
ospfd.conf.sample Initial revision 2002-12-13 20:15:29 +00:00
ospfd.h ospfd: compile warning cleanups 2013-01-07 09:59:59 -08:00