diff options
| author | Denis Ovsienko <infrastation@yandex.ru> | 2011-09-26 13:18:02 +0400 | 
|---|---|---|
| committer | Denis Ovsienko <infrastation@yandex.ru> | 2011-09-26 18:40:19 +0400 | 
| commit | 1f54cef38dab072f1054c6cfedd9ac32af14a120 (patch) | |
| tree | 6aceeb8772c8ba088b387d7fdcdc771899788fce /ospfd | |
| parent | 3d3380d4fda43924171bc0866746c85634952c99 (diff) | |
ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)
This vulnerability (CERT-FI #514838) was reported by CROSS project.
The error is reproducible only when ospfd debugging is enabled:
  * debug ospf packet all
  * debug ospf zebra
When incoming packet header type field is set to 0x0a, ospfd will crash.
* ospf_packet.c
  * ospf_verify_header(): add type field check
  * ospf_read(): perform input checks early
Diffstat (limited to 'ospfd')
| -rw-r--r-- | ospfd/ospf_packet.c | 32 | 
1 files changed, 18 insertions, 14 deletions
| diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index 7227452a..489b928c 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -2258,6 +2258,13 @@ ospf_verify_header (struct stream *ibuf, struct ospf_interface *oi,        return -1;      } +  /* Valid OSPFv2 packet types are 1 through 5 inclusive. */ +  if (ospfh->type < 1 || ospfh->type > 5) +  { +    zlog_warn ("interface %s: invalid packet type %u", IF_NAME (oi), ospfh->type); +    return -1; +  } +    /* Check Area ID. */    if (!ospf_check_area_id (oi, ospfh))      { @@ -2385,6 +2392,17 @@ ospf_read (struct thread *thread)    /* associate packet with ospf interface */    oi = ospf_if_lookup_recv_if (ospf, iph->ip_src, ifp); +  /* Verify header fields before any further processing. */ +  ret = ospf_verify_header (ibuf, oi, iph, ospfh); +  if (ret < 0) +  { +    if (IS_DEBUG_OSPF_PACKET (0, RECV)) +      zlog_debug ("ospf_read[%s]: Header check failed, " +                  "dropping.", +                  inet_ntoa (iph->ip_src)); +    return ret; +  } +    /* If incoming interface is passive one, ignore it. */    if (oi && OSPF_IF_PASSIVE_STATUS (oi) == OSPF_IF_PASSIVE)      { @@ -2494,20 +2512,6 @@ ospf_read (struct thread *thread)  	zlog_debug ("-----------------------------------------------------");    } -  /* Some header verification. */ -  ret = ospf_verify_header (ibuf, oi, iph, ospfh); -  if (ret < 0) -    { -      if (IS_DEBUG_OSPF_PACKET (ospfh->type - 1, RECV)) -        { -          zlog_debug ("ospf_read[%s/%s]: Header check failed, " -                     "dropping.", -                     ospf_packet_type_str[ospfh->type], -                     inet_ntoa (iph->ip_src)); -        } -      return ret; -    } -    stream_forward_getp (ibuf, OSPF_HEADER_SIZE);    /* Adjust size to message length. */ | 
