From abc7ef44ca05493500865ce81f7b84f5c4eb6594 Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <infrastation@yandex.ru>
Date: Mon, 26 Sep 2011 13:18:51 +0400
Subject: ospf6d: CVE-2011-3323 (fortify packet reception)

This vulnerability (CERT-FI #514840) was reported by CROSS project.

ospf6d processes IPv6 prefix structures in incoming packets without
verifying that the declared prefix length is valid. This leads to a
crash
caused by out of bounds memory access.

* ospf6_abr.h: new macros for size/alignment validation
* ospf6_asbr.h: idem
* ospf6_intra.h: idem
* ospf6_lsa.h: idem
* ospf6_message.h: idem
* ospf6_proto.h: idem
* ospf6_message.c
  * ospf6_packet_minlen: helper array for ospf6_packet_examin()
  * ospf6_lsa_minlen: helper array for ospf6_lsa_examin()
  * ospf6_hello_recv(): do not call ospf6_header_examin(), let upper
    layer verify the input data
  * ospf6_dbdesc_recv(): idem
  * ospf6_lsreq_recv(): idem
  * ospf6_lsupdate_recv(): idem
  * ospf6_lsack_recv(): idem
  * ospf6_prefixes_examin(): new function, implements A.4.1
  * ospf6_lsa_examin(): new function, implements A.4
  * ospf6_lsaseq_examin(): new function, an interface to above
  * ospf6_packet_examin(): new function, implements A.3
  * ospf6_rxpacket_examin(): new function, replaces
    ospf6_header_examin()
  * ospf6_header_examin(): sayonara
  * ospf6_receive(): perform passive interface check earliest possible,
    employ ospf6_rxpacket_examin()
---
 ospf6d/ospf6_message.h | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'ospf6d/ospf6_message.h')

diff --git a/ospf6d/ospf6_message.h b/ospf6d/ospf6_message.h
index c72f0af4..232b875e 100644
--- a/ospf6d/ospf6_message.h
+++ b/ospf6d/ospf6_message.h
@@ -52,6 +52,7 @@ extern const char *ospf6_message_type_str[];
   (ospf6_message_type_str[ OSPF6_MESSAGE_TYPE_CANONICAL (T) ])
 
 /* OSPFv3 packet header */
+#define OSPF6_HEADER_SIZE                     16U
 struct ospf6_header
 {
   u_char    version;
@@ -67,6 +68,7 @@ struct ospf6_header
 #define OSPF6_MESSAGE_END(H) ((caddr_t) (H) + ntohs ((H)->length))
 
 /* Hello */
+#define OSPF6_HELLO_MIN_SIZE                  20U
 struct ospf6_hello
 {
   u_int32_t interface_id;
@@ -80,6 +82,7 @@ struct ospf6_hello
 };
 
 /* Database Description */
+#define OSPF6_DB_DESC_MIN_SIZE                12U
 struct ospf6_dbdesc
 {
   u_char    reserved1;
@@ -96,7 +99,9 @@ struct ospf6_dbdesc
 #define OSPF6_DBDESC_IBIT  (0x04) /* initial bit */
 
 /* Link State Request */
+#define OSPF6_LS_REQ_MIN_SIZE                  0U
 /* It is just a sequence of entries below */
+#define OSPF6_LSREQ_LSDESC_FIX_SIZE           12U
 struct ospf6_lsreq_entry
 {
   u_int16_t reserved;     /* Must Be Zero */
@@ -106,6 +111,7 @@ struct ospf6_lsreq_entry
 };
 
 /* Link State Update */
+#define OSPF6_LS_UPD_MIN_SIZE                  4U
 struct ospf6_lsupdate
 {
   u_int32_t lsa_number;
@@ -113,6 +119,7 @@ struct ospf6_lsupdate
 };
 
 /* Link State Acknowledgement */
+#define OSPF6_LS_ACK_MIN_SIZE                  0U
 /* It is just a sequence of LSA Headers */
 
 /* Function definition */
-- 
cgit v1.2.1