File 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF... of Package frr.35334

Overview Repositories Revisions Requests Users Attributes Meta

File 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch of Package frr.35334

From 298704f1e73221172432e2a4afd79086ffcd4cca Mon Sep 17 00:00:00 2001
From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Wed, 3 Apr 2024 16:28:23 +0200
Upstream: yes
References: CVE-2024-31950,bsc#1222526,gh#FRRouting/frr#16088
Subject: [PATCH 1/3] ospfd: Solved crash in RI parsing with OSPF TE

Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
read Segment Routing subTLVs. The original code doesn't check if the size of
the SR subTLVs have the correct length. In presence of erronous LSA, this will
cause a buffer overflow and ospfd crash.

This patch introduces new verification of the subTLVs size for Router
Information TLV.

Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
(cherry picked from commit f69d1313b19047d3d83fc2b36a518355b861dfc4)
---
 ospfd/ospf_te.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 45eb205759..885b915585 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2483,6 +2483,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
 
 		switch (ntohs(tlvh->type)) {
 		case RI_SR_TLV_SR_ALGORITHM:
+			if (TLV_BODY_SIZE(tlvh) < 1 ||
+			    TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
+				break;
 			algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
 
 			for (int i = 0; i < ntohs(algo->header.length); i++) {
@@ -2507,6 +2510,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
 			break;
 
 		case RI_SR_TLV_SRGB_LABEL_RANGE:
+			if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+				break;
 			range = (struct ri_sr_tlv_sid_label_range *)tlvh;
 			size = GET_RANGE_SIZE(ntohl(range->size));
 			lower = GET_LABEL(ntohl(range->lower.value));
@@ -2524,6 +2529,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
 			break;
 
 		case RI_SR_TLV_SRLB_LABEL_RANGE:
+			if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+				break;
 			range = (struct ri_sr_tlv_sid_label_range *)tlvh;
 			size = GET_RANGE_SIZE(ntohl(range->size));
 			lower = GET_LABEL(ntohl(range->lower.value));
@@ -2541,6 +2548,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
 			break;
 
 		case RI_SR_TLV_NODE_MSD:
+			if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
+				break;
 			msd = (struct ri_sr_tlv_node_msd *)tlvh;
 			if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
 			    && (node->msd == msd->value))
-- 
2.35.3

Places

File 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch of Package frr.35334

Places