diff options
author | Denis Ovsienko <infrastation@yandex.ru> | 2011-09-26 13:17:52 +0400 |
---|---|---|
committer | Denis Ovsienko <infrastation@yandex.ru> | 2011-09-26 18:40:07 +0400 |
commit | 3d3380d4fda43924171bc0866746c85634952c99 (patch) | |
tree | d0239c64344f723900544824ba5979c96d55422f | |
parent | af143a26ef96ba9be7b9c0b151b7605e1c2c74cd (diff) |
ospfd: CVE-2011-3325 part 1 (OSPF header underrun)
This vulnerability (CERT-FI #514838) was reported by CROSS project.
When only 14 first bytes of a Hello packet is delivered, ospfd crashes.
* ospf_packet.c
* ospf_read(): add size check
-rw-r--r-- | ospfd/ospf_packet.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index 1066e64f..7227452a 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -2367,10 +2367,19 @@ ospf_read (struct thread *thread) return 0; } - /* Adjust size to message length. */ + /* Advance from IP header to OSPF header (iph->ip_hl has been verified + by ospf_recv_packet() to be correct). */ stream_forward_getp (ibuf, iph->ip_hl * 4); - - /* Get ospf packet header. */ + + /* Make sure the OSPF header is really there. */ + if (stream_get_endp (ibuf) - stream_get_getp (ibuf) < OSPF_HEADER_SIZE) + { + zlog_debug ("ospf_read: ignored OSPF packet with undersized (%u bytes) header", + stream_get_endp (ibuf) - stream_get_getp (ibuf)); + return -1; + } + + /* Now it is safe to access all fields of OSPF packet header. */ ospfh = (struct ospf_header *) STREAM_PNT (ibuf); /* associate packet with ospf interface */ |