ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)
This vulnerability (CERT-FI #514838) was reported by CROSS project.
The error is reproducible only when ospfd debugging is enabled:
* debug ospf packet all
* debug ospf zebra
When incoming packet header type field is set to 0x0a, ospfd will crash.
* ospf_packet.c
* ospf_verify_header(): add type field check
* ospf_read(): perform input checks early
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 7227452..489b928 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -2258,6 +2258,13 @@
return -1;
}
+ /* Valid OSPFv2 packet types are 1 through 5 inclusive. */
+ if (ospfh->type < 1 || ospfh->type > 5)
+ {
+ zlog_warn ("interface %s: invalid packet type %u", IF_NAME (oi), ospfh->type);
+ return -1;
+ }
+
/* Check Area ID. */
if (!ospf_check_area_id (oi, ospfh))
{
@@ -2385,6 +2392,17 @@
/* associate packet with ospf interface */
oi = ospf_if_lookup_recv_if (ospf, iph->ip_src, ifp);
+ /* Verify header fields before any further processing. */
+ ret = ospf_verify_header (ibuf, oi, iph, ospfh);
+ if (ret < 0)
+ {
+ if (IS_DEBUG_OSPF_PACKET (0, RECV))
+ zlog_debug ("ospf_read[%s]: Header check failed, "
+ "dropping.",
+ inet_ntoa (iph->ip_src));
+ return ret;
+ }
+
/* If incoming interface is passive one, ignore it. */
if (oi && OSPF_IF_PASSIVE_STATUS (oi) == OSPF_IF_PASSIVE)
{
@@ -2494,20 +2512,6 @@
zlog_debug ("-----------------------------------------------------");
}
- /* Some header verification. */
- ret = ospf_verify_header (ibuf, oi, iph, ospfh);
- if (ret < 0)
- {
- if (IS_DEBUG_OSPF_PACKET (ospfh->type - 1, RECV))
- {
- zlog_debug ("ospf_read[%s/%s]: Header check failed, "
- "dropping.",
- ospf_packet_type_str[ospfh->type],
- inet_ntoa (iph->ip_src));
- }
- return ret;
- }
-
stream_forward_getp (ibuf, OSPF_HEADER_SIZE);
/* Adjust size to message length. */