blob: 0db69fd1228e701abc60e422e6ea48047bc7ab0a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
commit aae54e20498974cb026bd0e2649ca3e753090492
Author: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Mon Feb 26 10:40:34 2024 +0100
ospfd: Solved crash in OSPF TE parsing
Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA
packets. The crash occurs in ospf_te_parse_te() function when attemping to
create corresponding egde from TE Link parameters. If there is no local
address, an edge is created but without any attributes. During parsing, the
function try to access to this attribute fields which has not been created
causing an ospfd crash.
The patch simply check if the te parser has found a valid local address. If not
found, we stop the parser which avoid the crash.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
(cherry picked from commit a73e66d07329d721f26f3f336f7735de420b0183)
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index d203b5ef4..1a01bf77b 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2245,6 +2245,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
}
/* Get corresponding Edge from Link State Data Base */
+ if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
+ ote_debug(" |- Found no TE Link local address/ID. Abort!");
+ return -1;
+ }
edge = get_edge(ted, attr.adv, attr.standard.local);
old = edge->attributes;
|
