[patchlogo]

Debian patch tracking system

- quagga - quagga/0.99.17-2+squeeze3 - series patch 99_CVE-2011-3325_part2_ospf_pkg_type.dpatch

quagga (0.99.17-2+squeeze3) 99_CVE-2011-3325_part2_ospf_pkg_type.dpatch

Summary

 ospfd/ospf_packet.c |   32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)
download this patch

Patch contents

#! /bin/sh /usr/share/dpatch/dpatch-run
## 99_CVE-2011-3325_part2_ospf_pkg_type.dpatch by  <ch@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: http://code.quagga.net/?p=quagga.git;a=commitdiff_plain;h=717750433839762d23a5f8d88fe0b4d57c8d490a

@DPATCH@

# From: Denis Ovsienko <infrastation@yandex.ru>
# Date: Mon, 26 Sep 2011 09:18:02 +0000 (+0400)
# Subject: ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)
# X-Git-Tag: quagga_0_99_19_release~3
# X-Git-Url: http://code.quagga.net/?p=quagga.git;a=commitdiff_plain;h=717750433839762d23a5f8d88fe0b4d57c8d490a
# 
# ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)
# 
# This vulnerability (CERT-FI #514838) was reported by CROSS project.
# 
# The error is reproducible only when ospfd debugging is enabled:
#   * debug ospf packet all
#   * debug ospf zebra
# When incoming packet header type field is set to 0x0a, ospfd will crash.
# 
# * ospf_packet.c
#   * ospf_verify_header(): add type field check
#   * ospf_read(): perform input checks early
# ---
# 
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 5727878..151ed32 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -2321,6 +2321,13 @@ ospf_verify_header (struct stream *ibuf, struct ospf_interface *oi,
       return -1;
     }
 
+  /* Valid OSPFv2 packet types are 1 through 5 inclusive. */
+  if (ospfh->type < 1 || ospfh->type > 5)
+  {
+    zlog_warn ("interface %s: invalid packet type %u", IF_NAME (oi), ospfh->type);
+    return -1;
+  }
+
   /* Check Area ID. */
   if (!ospf_check_area_id (oi, ospfh))
     {
@@ -2448,6 +2455,17 @@ ospf_read (struct thread *thread)
   /* associate packet with ospf interface */
   oi = ospf_if_lookup_recv_if (ospf, iph->ip_src, ifp);
 
+  /* Verify header fields before any further processing. */
+  ret = ospf_verify_header (ibuf, oi, iph, ospfh);
+  if (ret < 0)
+  {
+    if (IS_DEBUG_OSPF_PACKET (0, RECV))
+      zlog_debug ("ospf_read[%s]: Header check failed, "
+                  "dropping.",
+                  inet_ntoa (iph->ip_src));
+    return ret;
+  }
+
   /* If incoming interface is passive one, ignore it. */
   if (oi && OSPF_IF_PASSIVE_STATUS (oi) == OSPF_IF_PASSIVE)
     {
@@ -2557,20 +2575,6 @@ ospf_read (struct thread *thread)
 	zlog_debug ("-----------------------------------------------------");
   }
 
-  /* Some header verification. */
-  ret = ospf_verify_header (ibuf, oi, iph, ospfh);
-  if (ret < 0)
-    {
-      if (IS_DEBUG_OSPF_PACKET (ospfh->type - 1, RECV))
-        {
-          zlog_debug ("ospf_read[%s/%s]: Header check failed, "
-                     "dropping.",
-                     ospf_packet_type_str[ospfh->type],
-                     inet_ntoa (iph->ip_src));
-        }
-      return ret;
-    }
-
   stream_forward_getp (ibuf, OSPF_HEADER_SIZE);
 
   /* Adjust size to message length. */
page code/design/content is copyright (c) 2008 sean finney <seanius@debian.org>.
patches viewed/retrieved through this system are copyrighted by their respective authors.
browse git repo - clone git repo