From abc7ef44ca05493500865ce81f7b84f5c4eb6594 Mon Sep 17 00:00:00 2001 From: Denis Ovsienko Date: Mon, 26 Sep 2011 13:18:51 +0400 Subject: ospf6d: CVE-2011-3323 (fortify packet reception) This vulnerability (CERT-FI #514840) was reported by CROSS project. ospf6d processes IPv6 prefix structures in incoming packets without verifying that the declared prefix length is valid. This leads to a crash caused by out of bounds memory access. * ospf6_abr.h: new macros for size/alignment validation * ospf6_asbr.h: idem * ospf6_intra.h: idem * ospf6_lsa.h: idem * ospf6_message.h: idem * ospf6_proto.h: idem * ospf6_message.c * ospf6_packet_minlen: helper array for ospf6_packet_examin() * ospf6_lsa_minlen: helper array for ospf6_lsa_examin() * ospf6_hello_recv(): do not call ospf6_header_examin(), let upper layer verify the input data * ospf6_dbdesc_recv(): idem * ospf6_lsreq_recv(): idem * ospf6_lsupdate_recv(): idem * ospf6_lsack_recv(): idem * ospf6_prefixes_examin(): new function, implements A.4.1 * ospf6_lsa_examin(): new function, implements A.4 * ospf6_lsaseq_examin(): new function, an interface to above * ospf6_packet_examin(): new function, implements A.3 * ospf6_rxpacket_examin(): new function, replaces ospf6_header_examin() * ospf6_header_examin(): sayonara * ospf6_receive(): perform passive interface check earliest possible, employ ospf6_rxpacket_examin() --- ospf6d/ospf6_lsa.h | 1 + 1 file changed, 1 insertion(+) (limited to 'ospf6d/ospf6_lsa.h') diff --git a/ospf6d/ospf6_lsa.h b/ospf6d/ospf6_lsa.h index c1093cab..a2991ba7 100644 --- a/ospf6d/ospf6_lsa.h +++ b/ospf6d/ospf6_lsa.h @@ -79,6 +79,7 @@ (ntohs (type) & OSPF6_LSTYPE_SCOPE_MASK) /* LSA Header */ +#define OSPF6_LSA_HEADER_SIZE 20U struct ospf6_lsa_header { u_int16_t age; /* LS age */ -- cgit v1.2.1 From 5e1731ac1d8593c1317d5d907eda62b52b17470f Mon Sep 17 00:00:00 2001 From: Denis Ovsienko Date: Sat, 20 Aug 2011 22:45:58 +0400 Subject: ospf6d: ospf6_lsa_cmd_init() does not exist --- ospf6d/ospf6_lsa.h | 1 - 1 file changed, 1 deletion(-) (limited to 'ospf6d/ospf6_lsa.h') diff --git a/ospf6d/ospf6_lsa.h b/ospf6d/ospf6_lsa.h index a2991ba7..7d93f5cb 100644 --- a/ospf6d/ospf6_lsa.h +++ b/ospf6d/ospf6_lsa.h @@ -245,7 +245,6 @@ extern struct ospf6_lsa_handler *ospf6_get_lsa_handler (u_int16_t type); extern void ospf6_lsa_init (void); extern void ospf6_lsa_terminate (void); -extern void ospf6_lsa_cmd_init (void); extern int config_write_ospf6_debug_lsa (struct vty *vty); extern void install_element_ospf6_debug_lsa (void); -- cgit v1.2.1