summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/CVE-2024-27913.patch34
-rw-r--r--debian/patches/series1
2 files changed, 35 insertions, 0 deletions
diff --git a/debian/patches/CVE-2024-27913.patch b/debian/patches/CVE-2024-27913.patch
new file mode 100644
index 0000000..0db69fd
--- /dev/null
+++ b/debian/patches/CVE-2024-27913.patch
@@ -0,0 +1,34 @@
+commit aae54e20498974cb026bd0e2649ca3e753090492
+Author: Olivier Dugeon <olivier.dugeon@orange.com>
+Date: Mon Feb 26 10:40:34 2024 +0100
+
+ ospfd: Solved crash in OSPF TE parsing
+
+ Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA
+ packets. The crash occurs in ospf_te_parse_te() function when attemping to
+ create corresponding egde from TE Link parameters. If there is no local
+ address, an edge is created but without any attributes. During parsing, the
+ function try to access to this attribute fields which has not been created
+ causing an ospfd crash.
+
+ The patch simply check if the te parser has found a valid local address. If not
+ found, we stop the parser which avoid the crash.
+
+ Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
+ (cherry picked from commit a73e66d07329d721f26f3f336f7735de420b0183)
+
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index d203b5ef4..1a01bf77b 100644
+--- a/ospfd/ospf_te.c
++++ b/ospfd/ospf_te.c
+@@ -2245,6 +2245,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
+ }
+
+ /* Get corresponding Edge from Link State Data Base */
++ if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
++ ote_debug(" |- Found no TE Link local address/ID. Abort!");
++ return -1;
++ }
+ edge = get_edge(ted, attr.adv, attr.standard.local);
+ old = edge->attributes;
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..d43093e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2024-27913.patch