File 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch of Package frr.35334

Overview Repositories Revisions Requests Users Attributes Meta

File 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch of Package frr.35334

From 285c19a3c665087720e1fea7d8d944c961c52288 Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Mon, 26 Feb 2024 10:40:34 +0100
Subject: [PATCH] ospfd: Solved crash in OSPF TE parsing
Upstream: yes
References: bsc#1220548, CVE-2024-27913, gh#FRRouting/frr#15431

Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA
packets. The crash occurs in ospf_te_parse_te() function when attemping to
create corresponding egde from TE Link parameters. If there is no local
address, an edge is created but without any attributes. During parsing, the
function try to access to this attribute fields which has not been created
causing an ospfd crash.

The patch simply check if the te parser has found a valid local address. If not
found, we stop the parser which avoid the crash.

Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>

diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 75f4e0c9f0..45eb205759 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2276,6 +2276,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
 	}
 
 	/* Get corresponding Edge from Link State Data Base */
+	if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
+		ote_debug("  |- Found no TE Link local address/ID. Abort!");
+		return -1;
+	}
 	edge = get_edge(ted, attr.adv, attr.standard.local);
 	old = edge->attributes;
 
-- 
2.35.3

Places

File 0020-ospfd-Solved-crash-in-OSPF-TE-parsing.patch of Package frr.35334

Places