diff options
author | Denis Ovsienko <infrastation@yandex.ru> | 2011-09-26 13:17:52 +0400 |
---|---|---|
committer | Denis Ovsienko <infrastation@yandex.ru> | 2011-09-26 18:46:42 +0400 |
commit | 61ab0301606053192f45c188bc48afc837518770 (patch) | |
tree | b7d9037390cd7beefcd7c1c54d2573ef92af80cd /ospfd | |
parent | 6b161fc12a15aba8824c84d1eb38e529aaf70769 (diff) |
ospfd: CVE-2011-3325 part 1 (OSPF header underrun)
This vulnerability (CERT-FI #514838) was reported by CROSS project.
When only 14 first bytes of a Hello packet is delivered, ospfd crashes.
* ospf_packet.c
* ospf_read(): add size check
Diffstat (limited to 'ospfd')
-rw-r--r-- | ospfd/ospf_packet.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index be137d91..57278788 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -2430,10 +2430,19 @@ ospf_read (struct thread *thread) return 0; } - /* Adjust size to message length. */ + /* Advance from IP header to OSPF header (iph->ip_hl has been verified + by ospf_recv_packet() to be correct). */ stream_forward_getp (ibuf, iph->ip_hl * 4); - - /* Get ospf packet header. */ + + /* Make sure the OSPF header is really there. */ + if (stream_get_endp (ibuf) - stream_get_getp (ibuf) < OSPF_HEADER_SIZE) + { + zlog_debug ("ospf_read: ignored OSPF packet with undersized (%u bytes) header", + stream_get_endp (ibuf) - stream_get_getp (ibuf)); + return -1; + } + + /* Now it is safe to access all fields of OSPF packet header. */ ospfh = (struct ospf_header *) STREAM_PNT (ibuf); /* associate packet with ospf interface */ |