summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Ovsienko <infrastation@yandex.ru>2011-09-26 13:18:36 +0400
committerDenis Ovsienko <infrastation@yandex.ru>2011-09-26 18:40:30 +0400
commit308687b7d73c5cacf927a3a33efbfaea627ccc09 (patch)
tree5a6892a966b268e278e24f610322e1404216b730
parent1f54cef38dab072f1054c6cfedd9ac32af14a120 (diff)
ospf6d: CVE-2011-3324 (DD LSA assertion)
This vulnerability (CERT-FI #514839) was reported by CROSS project. When Database Description LSA header list contains trailing zero octets, ospf6d tries to process this data as an LSA header. This triggers an assertion in the code and ospf6d shuts down. * ospf6_lsa.c * ospf6_lsa_is_changed(): handle header-only argument(s) appropriately, do not treat LSA length underrun as a fatal error.
-rw-r--r--ospf6d/ospf6_lsa.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/ospf6d/ospf6_lsa.c b/ospf6d/ospf6_lsa.c
index c1db3741..a9545c33 100644
--- a/ospf6d/ospf6_lsa.c
+++ b/ospf6d/ospf6_lsa.c
@@ -163,9 +163,19 @@ ospf6_lsa_is_changed (struct ospf6_lsa *lsa1,
return 1;
if (ntohs (lsa1->header->length) != ntohs (lsa2->header->length))
return 1;
+ /* Going beyond LSA headers to compare the payload only makes sense, when both LSAs aren't header-only. */
+ if (CHECK_FLAG (lsa1->flag, OSPF6_LSA_HEADERONLY) != CHECK_FLAG (lsa2->flag, OSPF6_LSA_HEADERONLY))
+ {
+ zlog_warn ("%s: only one of two (%s, %s) LSAs compared is header-only", __func__, lsa1->name, lsa2->name);
+ return 1;
+ }
+ if (CHECK_FLAG (lsa1->flag, OSPF6_LSA_HEADERONLY))
+ return 0;
length = OSPF6_LSA_SIZE (lsa1->header) - sizeof (struct ospf6_lsa_header);
- assert (length > 0);
+ /* Once upper layer verifies LSAs received, length underrun should become a warning. */
+ if (length <= 0)
+ return 0;
return memcmp (OSPF6_LSA_HEADER_END (lsa1->header),
OSPF6_LSA_HEADER_END (lsa2->header), length);