ospfd: CVE-2011-3326 (uknown LSA type segfault) This vulnerability (CERT-FI #514837) was reported by CROSS project. They have also suggested a fix to the problem, which was found acceptable. Quagga ospfd does not seem to handle unknown LSA types in a Link State Update message correctly. If LSA type is something else than one supported by Quagga, the default handling of unknown types leads to an error. * ospf_flood.c * ospf_flood(): check return value of ospf_lsa_install()

commit: af143a26ef96ba9be7b9c0b151b7605e1c2c74cd [log] [tgz]
author: CROSS <info@codenomicon.com> Mon Sep 26 13:17:21 2011 +0400
committer: Denis Ovsienko <infrastation@yandex.ru> Mon Sep 26 18:39:52 2011 +0400
tree: 52d988f2eb1ccaddec7a725ee30766593dfc1f6b
parent: a1afbc6e1d56b06409de5e8d7d984d565817fd96 [diff] [blame]
diff --git a/ospfd/ospf_flood.c b/ospfd/ospf_flood.c
index 41661da..fc0bbf1 100644
--- a/ospfd/ospf_flood.c
+++ b/ospfd/ospf_flood.c

@@ -319,7 +319,8 @@
      procedure cannot overwrite the newly installed LSA until
      MinLSArrival seconds have elapsed. */  
 
-  new = ospf_lsa_install (ospf, nbr->oi, new);
+  if (! (new = ospf_lsa_install (ospf, nbr->oi, new)))
+    return 0; /* unknown LSA type */
 
   /* Acknowledge the receipt of the LSA by sending a Link State
      Acknowledgment packet back out the receiving interface. */
commit	af143a26ef96ba9be7b9c0b151b7605e1c2c74cd	[log] [tgz]
author	CROSS <info@codenomicon.com>	Mon Sep 26 13:17:21 2011 +0400
committer	Denis Ovsienko <infrastation@yandex.ru>	Mon Sep 26 18:39:52 2011 +0400
tree	52d988f2eb1ccaddec7a725ee30766593dfc1f6b
parent	a1afbc6e1d56b06409de5e8d7d984d565817fd96 [diff] [blame]