summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Lamparter <equinox@diac24.net>2013-08-02 07:27:53 +0000
committerDavid Lamparter <equinox@opensourcerouting.org>2013-08-06 12:41:46 +0200
commit23cd8fb7133befdb84b3a918f7b2f6147161ac6e (patch)
treeb8ef335dcbc2051a5017aa50bc4b759882b638d2
parenta12afd5e8e57c95505d4d0166af234c7f19e9fe1 (diff)
ospfd: protect vs. VU#229804 (malformed Router-LSA)
VU#229804 reports that, by injecting Router LSAs with the Advertising Router ID different from the Link State ID, OSPF implementations can be tricked into retaining and using invalid information. Quagga is not vulnerable to this because it looks up Router LSAs by (Router-ID, LS-ID) pair. The relevant code is in ospf_lsa.c l.3140. Note the double "id" parameter at the end. Still, we can provide an improvement here by discarding such malformed LSAs and providing a warning to the administrator. While we cannot prevent such malformed LSAs from entering the OSPF domain, we can certainly try to limit their distribution. cf. http://www.kb.cert.org/vuls/id/229804 for the vulnerability report. This issue is a specification issue in the OSPF protocol that was discovered by Dr. Gabi Nakibly. Reported-by: CERT Coordination Center <cert@cert.org> Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
-rw-r--r--ospfd/ospf_packet.c21
1 files changed, 21 insertions, 0 deletions
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 37223fbb..ab68bf0b 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -1823,6 +1823,27 @@ ospf_ls_upd (struct ip *iph, struct ospf_header *ospfh,
DISCARD_LSA (lsa,2);
}
+ /* VU229804: Router-LSA Adv-ID must be equal to LS-ID */
+ if (lsa->data->type == OSPF_ROUTER_LSA)
+ if (!IPV4_ADDR_SAME(&lsa->data->id, &lsa->data->adv_router))
+ {
+ char buf1[INET_ADDRSTRLEN];
+ char buf2[INET_ADDRSTRLEN];
+ char buf3[INET_ADDRSTRLEN];
+
+ zlog_err("Incoming Router-LSA from %s with "
+ "Adv-ID[%s] != LS-ID[%s]",
+ inet_ntop (AF_INET, &ospfh->router_id,
+ buf1, INET_ADDRSTRLEN),
+ inet_ntop (AF_INET, &lsa->data->id,
+ buf2, INET_ADDRSTRLEN),
+ inet_ntop (AF_INET, &lsa->data->adv_router,
+ buf3, INET_ADDRSTRLEN));
+ zlog_err("OSPF domain compromised by attack or corruption. "
+ "Verify correct operation of -ALL- OSPF routers.");
+ DISCARD_LSA (lsa, 0);
+ }
+
/* Find the LSA in the current database. */
current = ospf_lsa_lookup_by_header (oi->area, lsa->data);