Marcus Meissner
f8f6f6eb79
scenario due to RIB revalidation (CVE-2024-55553,bsc#1235237) and other fixes, see https://frrouting.org/release/10.2.1/ The 10.2 version provides new features and many enhancements, see https://frrouting.org/release/10.2/ - Add new fpm_listener daemon binary to rpm file lists. - Remove --localstatedir configure parameter causing to use /run/lib instead of /var/lib prefix for the northbound databases and added the /var/lib/frr directory to the rpm file list. - Adjust to set permissions in rpm attr macros (rpmlint suggestion) and use frr_group instead of frr_user in group parameter. OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=81
68 lines
2.5 KiB
Diff
68 lines
2.5 KiB
Diff
From 298704f1e73221172432e2a4afd79086ffcd4cca Mon Sep 17 00:00:00 2001
|
|
From: Olivier Dugeon <olivier.dugeon@orange.com>
|
|
Date: Wed, 3 Apr 2024 16:28:23 +0200
|
|
Upstream: yes
|
|
References: CVE-2024-31950,bsc#1222526,gh#FRRouting/frr#16088
|
|
Subject: [PATCH 1/3] ospfd: Solved crash in RI parsing with OSPF TE
|
|
|
|
Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
|
|
LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
|
|
read Segment Routing subTLVs. The original code doesn't check if the size of
|
|
the SR subTLVs have the correct length. In presence of erronous LSA, this will
|
|
cause a buffer overflow and ospfd crash.
|
|
|
|
This patch introduces new verification of the subTLVs size for Router
|
|
Information TLV.
|
|
|
|
Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
|
|
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
|
|
(cherry picked from commit f69d1313b19047d3d83fc2b36a518355b861dfc4)
|
|
---
|
|
ospfd/ospf_te.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
|
|
index 45eb205759..885b915585 100644
|
|
--- a/ospfd/ospf_te.c
|
|
+++ b/ospfd/ospf_te.c
|
|
@@ -2483,6 +2483,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
|
|
|
|
switch (ntohs(tlvh->type)) {
|
|
case RI_SR_TLV_SR_ALGORITHM:
|
|
+ if (TLV_BODY_SIZE(tlvh) < 1 ||
|
|
+ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
|
|
+ break;
|
|
algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
|
|
|
|
for (int i = 0; i < ntohs(algo->header.length); i++) {
|
|
@@ -2507,6 +2510,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
|
|
break;
|
|
|
|
case RI_SR_TLV_SRGB_LABEL_RANGE:
|
|
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
|
|
+ break;
|
|
range = (struct ri_sr_tlv_sid_label_range *)tlvh;
|
|
size = GET_RANGE_SIZE(ntohl(range->size));
|
|
lower = GET_LABEL(ntohl(range->lower.value));
|
|
@@ -2524,6 +2529,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
|
|
break;
|
|
|
|
case RI_SR_TLV_SRLB_LABEL_RANGE:
|
|
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
|
|
+ break;
|
|
range = (struct ri_sr_tlv_sid_label_range *)tlvh;
|
|
size = GET_RANGE_SIZE(ntohl(range->size));
|
|
lower = GET_LABEL(ntohl(range->lower.value));
|
|
@@ -2541,6 +2548,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
|
|
break;
|
|
|
|
case RI_SR_TLV_NODE_MSD:
|
|
+ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
|
|
+ break;
|
|
msd = (struct ri_sr_tlv_node_msd *)tlvh;
|
|
if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
|
|
&& (node->msd == msd->value))
|
|
--
|
|
2.35.3
|
|
|