diff options
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/CVE-2024-27913.patch | 34 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 35 insertions, 0 deletions
diff --git a/debian/patches/CVE-2024-27913.patch b/debian/patches/CVE-2024-27913.patch new file mode 100644 index 0000000..0db69fd --- /dev/null +++ b/debian/patches/CVE-2024-27913.patch @@ -0,0 +1,34 @@ +commit aae54e20498974cb026bd0e2649ca3e753090492 +Author: Olivier Dugeon <olivier.dugeon@orange.com> +Date: Mon Feb 26 10:40:34 2024 +0100 + + ospfd: Solved crash in OSPF TE parsing + + Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA + packets. The crash occurs in ospf_te_parse_te() function when attemping to + create corresponding egde from TE Link parameters. If there is no local + address, an edge is created but without any attributes. During parsing, the + function try to access to this attribute fields which has not been created + causing an ospfd crash. + + The patch simply check if the te parser has found a valid local address. If not + found, we stop the parser which avoid the crash. + + Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com> + (cherry picked from commit a73e66d07329d721f26f3f336f7735de420b0183) + +diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c +index d203b5ef4..1a01bf77b 100644 +--- a/ospfd/ospf_te.c ++++ b/ospfd/ospf_te.c +@@ -2245,6 +2245,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) + } + + /* Get corresponding Edge from Link State Data Base */ ++ if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) { ++ ote_debug(" |- Found no TE Link local address/ID. Abort!"); ++ return -1; ++ } + edge = get_edge(ted, attr.adv, attr.standard.local); + old = edge->attributes; + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..d43093e --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2024-27913.patch |