Dirk Mueller
26e7e54960
- Apply upstream fix solving ospfd denial of service via get_edge() function returning a NULL pointer (CVE-2024-34088,bsc#1223786, gh#FRRouting/frr#16088). [+ 0023-ospfd-protect-call-to-get_edge-in-ospf_te.c.patch] - Apply upstream fix solving ospfd buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (CVE-2024-31951, bsc#1222528,gh#FRRouting/frr#16088). [+ 0022-ospfd-Correct-Opaque-LSA-Extended-parser.patch] - Apply upstream fix solving ospfd buffer overflow and daemon crash in RI parsing with OSPF TE (CVE-2024-31950,bsc#1222526, gh#FRRouting/frr#16088). [+ 0021-ospfd-Solved-crash-in-RI-parsing-with-OSPF-TE.patch] OBS-URL: https://build.opensuse.org/request/show/1178686 OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=67
68 lines
2.5 KiB
Diff
68 lines
2.5 KiB
Diff
From 298704f1e73221172432e2a4afd79086ffcd4cca Mon Sep 17 00:00:00 2001
|
|
From: Olivier Dugeon <olivier.dugeon@orange.com>
|
|
Date: Wed, 3 Apr 2024 16:28:23 +0200
|
|
Upstream: yes
|
|
References: CVE-2024-31950,bsc#1222526,gh#FRRouting/frr#16088
|
|
Subject: [PATCH 1/3] ospfd: Solved crash in RI parsing with OSPF TE
|
|
|
|
Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
|
|
LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
|
|
read Segment Routing subTLVs. The original code doesn't check if the size of
|
|
the SR subTLVs have the correct length. In presence of erronous LSA, this will
|
|
cause a buffer overflow and ospfd crash.
|
|
|
|
This patch introduces new verification of the subTLVs size for Router
|
|
Information TLV.
|
|
|
|
Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
|
|
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
|
|
(cherry picked from commit f69d1313b19047d3d83fc2b36a518355b861dfc4)
|
|
---
|
|
ospfd/ospf_te.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
|
|
index 45eb205759..885b915585 100644
|
|
--- a/ospfd/ospf_te.c
|
|
+++ b/ospfd/ospf_te.c
|
|
@@ -2483,6 +2483,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
|
|
|
|
switch (ntohs(tlvh->type)) {
|
|
case RI_SR_TLV_SR_ALGORITHM:
|
|
+ if (TLV_BODY_SIZE(tlvh) < 1 ||
|
|
+ TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
|
|
+ break;
|
|
algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
|
|
|
|
for (int i = 0; i < ntohs(algo->header.length); i++) {
|
|
@@ -2507,6 +2510,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
|
|
break;
|
|
|
|
case RI_SR_TLV_SRGB_LABEL_RANGE:
|
|
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
|
|
+ break;
|
|
range = (struct ri_sr_tlv_sid_label_range *)tlvh;
|
|
size = GET_RANGE_SIZE(ntohl(range->size));
|
|
lower = GET_LABEL(ntohl(range->lower.value));
|
|
@@ -2524,6 +2529,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
|
|
break;
|
|
|
|
case RI_SR_TLV_SRLB_LABEL_RANGE:
|
|
+ if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
|
|
+ break;
|
|
range = (struct ri_sr_tlv_sid_label_range *)tlvh;
|
|
size = GET_RANGE_SIZE(ntohl(range->size));
|
|
lower = GET_LABEL(ntohl(range->lower.value));
|
|
@@ -2541,6 +2548,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
|
|
break;
|
|
|
|
case RI_SR_TLV_NODE_MSD:
|
|
+ if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
|
|
+ break;
|
|
msd = (struct ri_sr_tlv_node_msd *)tlvh;
|
|
if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
|
|
&& (node->msd == msd->value))
|
|
--
|
|
2.35.3
|
|
|