summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Ovsienko <infrastation@yandex.ru>2011-09-26 13:17:52 +0400
committerDenis Ovsienko <infrastation@yandex.ru>2011-09-26 18:40:07 +0400
commit3d3380d4fda43924171bc0866746c85634952c99 (patch)
treed0239c64344f723900544824ba5979c96d55422f
parentaf143a26ef96ba9be7b9c0b151b7605e1c2c74cd (diff)
ospfd: CVE-2011-3325 part 1 (OSPF header underrun)
This vulnerability (CERT-FI #514838) was reported by CROSS project. When only 14 first bytes of a Hello packet is delivered, ospfd crashes. * ospf_packet.c * ospf_read(): add size check
-rw-r--r--ospfd/ospf_packet.c15
1 files changed, 12 insertions, 3 deletions
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 1066e64f..7227452a 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -2367,10 +2367,19 @@ ospf_read (struct thread *thread)
return 0;
}
- /* Adjust size to message length. */
+ /* Advance from IP header to OSPF header (iph->ip_hl has been verified
+ by ospf_recv_packet() to be correct). */
stream_forward_getp (ibuf, iph->ip_hl * 4);
-
- /* Get ospf packet header. */
+
+ /* Make sure the OSPF header is really there. */
+ if (stream_get_endp (ibuf) - stream_get_getp (ibuf) < OSPF_HEADER_SIZE)
+ {
+ zlog_debug ("ospf_read: ignored OSPF packet with undersized (%u bytes) header",
+ stream_get_endp (ibuf) - stream_get_getp (ibuf));
+ return -1;
+ }
+
+ /* Now it is safe to access all fields of OSPF packet header. */
ospfh = (struct ospf_header *) STREAM_PNT (ibuf);
/* associate packet with ospf interface */