summaryrefslogtreecommitdiff
path: root/ospf6d
diff options
context:
space:
mode:
authorDenis Ovsienko <infrastation@yandex.ru>2011-09-26 13:18:36 +0400
committerDenis Ovsienko <infrastation@yandex.ru>2011-09-26 18:47:06 +0400
commit09395e2a0e93b2cf4258cb1de91887948796bb68 (patch)
tree771622102161a372b45f730bd48ab23e69676350 /ospf6d
parent717750433839762d23a5f8d88fe0b4d57c8d490a (diff)
ospf6d: CVE-2011-3324 (DD LSA assertion)
This vulnerability (CERT-FI #514839) was reported by CROSS project. When Database Description LSA header list contains trailing zero octets, ospf6d tries to process this data as an LSA header. This triggers an assertion in the code and ospf6d shuts down. * ospf6_lsa.c * ospf6_lsa_is_changed(): handle header-only argument(s) appropriately, do not treat LSA length underrun as a fatal error.
Diffstat (limited to 'ospf6d')
-rw-r--r--ospf6d/ospf6_lsa.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/ospf6d/ospf6_lsa.c b/ospf6d/ospf6_lsa.c
index 588b9462..e65752d8 100644
--- a/ospf6d/ospf6_lsa.c
+++ b/ospf6d/ospf6_lsa.c
@@ -163,9 +163,19 @@ ospf6_lsa_is_changed (struct ospf6_lsa *lsa1,
return 1;
if (ntohs (lsa1->header->length) != ntohs (lsa2->header->length))
return 1;
+ /* Going beyond LSA headers to compare the payload only makes sense, when both LSAs aren't header-only. */
+ if (CHECK_FLAG (lsa1->flag, OSPF6_LSA_HEADERONLY) != CHECK_FLAG (lsa2->flag, OSPF6_LSA_HEADERONLY))
+ {
+ zlog_warn ("%s: only one of two (%s, %s) LSAs compared is header-only", __func__, lsa1->name, lsa2->name);
+ return 1;
+ }
+ if (CHECK_FLAG (lsa1->flag, OSPF6_LSA_HEADERONLY))
+ return 0;
length = OSPF6_LSA_SIZE (lsa1->header) - sizeof (struct ospf6_lsa_header);
- assert (length > 0);
+ /* Once upper layer verifies LSAs received, length underrun should become a warning. */
+ if (length <= 0)
+ return 0;
return memcmp (OSPF6_LSA_HEADER_END (lsa1->header),
OSPF6_LSA_HEADER_END (lsa2->header), length);