File bug-718059_quagga-master-514838.1.patch of Package quagga.import5276

Overview Repositories Revisions Requests Users Attributes Meta

File bug-718059_quagga-master-514838.1.patch of Package quagga.import5276

commit 6952d9a10f29b29ae79a7329a882da5938dda553
Author: Denis Ovsienko <infrastation@yandex.ru>
Date:   Thu Sep 1 18:46:51 2011 +0400

ospfd: CERT-FI #514838.1 (OSPF header underrun)
    
    This vulnerability was reported by CROSS project.
    
    When only 14 first bytes of a Hello packet is delivered, ospfd crashes.
    
    * ospf_packet.c
      * ospf_read(): add size check

diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 1066e64..7227452 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -2367,10 +2367,19 @@ ospf_read (struct thread *thread)
       return 0;
     }
 
-  /* Adjust size to message length. */
+  /* Advance from IP header to OSPF header (iph->ip_hl has been verified
+     by ospf_recv_packet() to be correct). */
   stream_forward_getp (ibuf, iph->ip_hl * 4);
-  
-  /* Get ospf packet header. */
+
+  /* Make sure the OSPF header is really there. */
+  if (stream_get_endp (ibuf) - stream_get_getp (ibuf) < OSPF_HEADER_SIZE)
+  {
+    zlog_debug ("ospf_read: ignored OSPF packet with undersized (%u bytes) header",
+                stream_get_endp (ibuf) - stream_get_getp (ibuf));
+    return -1;
+  }
+
+  /* Now it is safe to access all fields of OSPF packet header. */
   ospfh = (struct ospf_header *) STREAM_PNT (ibuf);
 
   /* associate packet with ospf interface */

Places

File bug-718059_quagga-master-514838.1.patch of Package quagga.import5276

Places