From abc7ef44ca05493500865ce81f7b84f5c4eb6594 Mon Sep 17 00:00:00 2001 From: Denis Ovsienko Date: Mon, 26 Sep 2011 13:18:51 +0400 Subject: ospf6d: CVE-2011-3323 (fortify packet reception) This vulnerability (CERT-FI #514840) was reported by CROSS project. ospf6d processes IPv6 prefix structures in incoming packets without verifying that the declared prefix length is valid. This leads to a crash caused by out of bounds memory access. * ospf6_abr.h: new macros for size/alignment validation * ospf6_asbr.h: idem * ospf6_intra.h: idem * ospf6_lsa.h: idem * ospf6_message.h: idem * ospf6_proto.h: idem * ospf6_message.c * ospf6_packet_minlen: helper array for ospf6_packet_examin() * ospf6_lsa_minlen: helper array for ospf6_lsa_examin() * ospf6_hello_recv(): do not call ospf6_header_examin(), let upper layer verify the input data * ospf6_dbdesc_recv(): idem * ospf6_lsreq_recv(): idem * ospf6_lsupdate_recv(): idem * ospf6_lsack_recv(): idem * ospf6_prefixes_examin(): new function, implements A.4.1 * ospf6_lsa_examin(): new function, implements A.4 * ospf6_lsaseq_examin(): new function, an interface to above * ospf6_packet_examin(): new function, implements A.3 * ospf6_rxpacket_examin(): new function, replaces ospf6_header_examin() * ospf6_header_examin(): sayonara * ospf6_receive(): perform passive interface check earliest possible, employ ospf6_rxpacket_examin() --- ospf6d/ospf6_asbr.h | 1 + 1 file changed, 1 insertion(+) (limited to 'ospf6d/ospf6_asbr.h') diff --git a/ospf6d/ospf6_asbr.h b/ospf6d/ospf6_asbr.h index 6deb93ef..cd1c939a 100644 --- a/ospf6d/ospf6_asbr.h +++ b/ospf6d/ospf6_asbr.h @@ -44,6 +44,7 @@ struct ospf6_external_info }; /* AS-External-LSA */ +#define OSPF6_AS_EXTERNAL_LSA_MIN_SIZE 4U /* w/o IPv6 prefix */ struct ospf6_as_external_lsa { u_int32_t bits_metric; -- cgit v1.2.1 From 87362ceb5d493f12e8c937b533190a1996d2df22 Mon Sep 17 00:00:00 2001 From: Denis Ovsienko Date: Sat, 27 Aug 2011 22:19:34 +0400 Subject: ospf6d: address more trivial compiler warnings * ospf6_main.c: include required headers * ospf6_asbr.h: idem * ospf6_spf.c * ospf6_spf_install(): remove unused variables --- ospf6d/ospf6_asbr.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'ospf6d/ospf6_asbr.h') diff --git a/ospf6d/ospf6_asbr.h b/ospf6d/ospf6_asbr.h index cd1c939a..6aab1df0 100644 --- a/ospf6d/ospf6_asbr.h +++ b/ospf6d/ospf6_asbr.h @@ -22,6 +22,13 @@ #ifndef OSPF6_ASBR_H #define OSPF6_ASBR_H +/* for struct ospf6_prefix */ +#include "ospf6_proto.h" +/* for struct ospf6_lsa */ +#include "ospf6_lsa.h" +/* for struct ospf6_route */ +#include "ospf6_route.h" + /* Debug option */ extern unsigned char conf_debug_ospf6_asbr; #define OSPF6_DEBUG_ASBR_ON() \ -- cgit v1.2.1 From 42a7debf3c76b8001ce820e104a29d2f693c7cb7 Mon Sep 17 00:00:00 2001 From: Vyacheslav Trushkin Date: Wed, 16 Nov 2011 14:22:03 +0400 Subject: ospf6d: implement 'match interface' for route-maps ospf6_routemap_rule_match_interface* was imported from ospfd daemon with minor changes. new CLI options defined. `ospf6_routemap_rule_match_interface' was changed to support IPv6 (ospfv3) route's external information. --- ospf6d/ospf6_asbr.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'ospf6d/ospf6_asbr.h') diff --git a/ospf6d/ospf6_asbr.h b/ospf6d/ospf6_asbr.h index 6aab1df0..72e49143 100644 --- a/ospf6d/ospf6_asbr.h +++ b/ospf6d/ospf6_asbr.h @@ -48,6 +48,8 @@ struct ospf6_external_info struct in6_addr forwarding; /* u_int32_t tag; */ + + unsigned int ifindex; }; /* AS-External-LSA */ -- cgit v1.2.1