From 6b161fc12a15aba8824c84d1eb38e529aaf70769 Mon Sep 17 00:00:00 2001 From: CROSS Date: Mon, 26 Sep 2011 13:17:21 +0400 Subject: ospfd: CVE-2011-3326 (uknown LSA type segfault) This vulnerability (CERT-FI #514837) was reported by CROSS project. They have also suggested a fix to the problem, which was found acceptable. Quagga ospfd does not seem to handle unknown LSA types in a Link State Update message correctly. If LSA type is something else than one supported by Quagga, the default handling of unknown types leads to an error. * ospf_flood.c * ospf_flood(): check return value of ospf_lsa_install() --- ospfd/ospf_flood.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'ospfd/ospf_flood.c') diff --git a/ospfd/ospf_flood.c b/ospfd/ospf_flood.c index 77f2e161..004ed1a7 100644 --- a/ospfd/ospf_flood.c +++ b/ospfd/ospf_flood.c @@ -319,7 +319,8 @@ ospf_flood (struct ospf *ospf, struct ospf_neighbor *nbr, procedure cannot overwrite the newly installed LSA until MinLSArrival seconds have elapsed. */ - new = ospf_lsa_install (ospf, nbr->oi, new); + if (! (new = ospf_lsa_install (ospf, nbr->oi, new))) + return 0; /* unknown LSA type */ /* Acknowledge the receipt of the LSA by sending a Link State Acknowledgment packet back out the receiving interface. */ -- cgit v1.2.1 From 4de148e5d6f6f7885b2c0952a236a3bc3ec36250 Mon Sep 17 00:00:00 2001 From: Thomas Ries Date: Thu, 27 Oct 2011 17:43:38 +0400 Subject: ospfd: improve fix to CVE-2011-3326 (BZ#586) Make ospf_flood() propagate error returned by ospf_lsa_install() further to properly discard the malformed LSA, not just prevent the immediate crash. --- ospfd/ospf_flood.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ospfd/ospf_flood.c') diff --git a/ospfd/ospf_flood.c b/ospfd/ospf_flood.c index 004ed1a7..2ebae89a 100644 --- a/ospfd/ospf_flood.c +++ b/ospfd/ospf_flood.c @@ -320,7 +320,7 @@ ospf_flood (struct ospf *ospf, struct ospf_neighbor *nbr, MinLSArrival seconds have elapsed. */ if (! (new = ospf_lsa_install (ospf, nbr->oi, new))) - return 0; /* unknown LSA type */ + return -1; /* unknown LSA type or any other error condition */ /* Acknowledge the receipt of the LSA by sending a Link State Acknowledgment packet back out the receiving interface. */ -- cgit v1.2.1