| Age | Commit message (Collapse) | Author |
|---|
|
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
to an exploitable stack overflow.
For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option
If either of these does not hold, the relevant code is not executed and
the issue does not get triggered.
Since the issue occurs on receiving large LSAs (larger than 1488 bytes),
it is possible for this to happen during normal operation of a network.
In particular, if there is an OSPF router with a large number of
interfaces, the Router-LSA of that router may exceed 1488 bytes and
trigger this, leading to an ospfd crash.
For an attacker to exploit this, s/he must be able to inject valid LSAs
into the OSPF domain. Any best-practice protection measure (using
crypto authentication, restricting OSPF to internal interfaces, packet
filtering protocol 89, etc.) will prevent exploitation. On top of that,
remote (not on an OSPF-speaking network segment) attackers will have
difficulties bringing up the adjacency needed to inject a LSA.
This patch only performs minimal changes to remove the possibility of a
stack overrun. The OSPF API in general is quite ugly and needs a
rewrite.
Reported-by: Ricky Charlet <ricky.charlet@hp.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
|
|
Use the array_size() helper macro. Replaces several instances of local
macros with the same definition.
Reviewed-by: Scott Feldman <sfeldma@cumulusnetworks.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
|
|
* ospf_apiserver.{c,h}: (ospf_apiserver_lsa_refresher) refreshers must now
return the refreshed LSA.
* ospf_te.{c,h}: (ospf_mpls_te_lsa_refresh) ditto
* ospf_api.c: trivial compiler warning fix
|
|
Simple conversion of XMALLOC/memset to XCALLOC
|
|
2005-11-26 Paul Jakma <paul.jakma@sun.com>
* buffer.c: (struct buffer_data) change gcc zero array
declaration to C99 incomplete array.
* stream.h: (struct stream) same
* ospf_api.c: (struct opaque_lsa) same
|
|
* ospf_api.c: sign warnings.
* ospf_apiserver.c: sign warning and convert all the struct
in_addr initialisations so as not to make assumptions about
how this struct is organised, initialise the s_addr member
explicitely.
* ospf_packet.c: Add const qualifier to auth_key.
|
|
* *.c: Change level of debug messages to LOG_DEBUG.
|
|
* global: Replace strerror with safe_strerror. And vtysh/vtysh.c
needs to include "log.h" to pick up the declaration.
|
|
|
