ospfd: Solved crash in RI parsing with OSPF TE

Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to
read Segment Routing subTLVs. The original code doesn't check if the size of
the SR subTLVs have the correct length. In presence of erronous LSA, this will
cause a buffer overflow and ospfd crash.

This patch introduces new verification of the subTLVs size for Router
Information TLV.

Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>

diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index cafad514156723823fe285a98bc4a64d6e5f71f8..ffea80ca0f25127172090e5bf17dcfba19866d8a 100644 (file)
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -2493,6 +2493,9 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
 
                switch (ntohs(tlvh->type)) {
                case RI_SR_TLV_SR_ALGORITHM:
+                       if (TLV_BODY_SIZE(tlvh) < 1 ||
+                           TLV_BODY_SIZE(tlvh) > ALGORITHM_COUNT)
+                               break;
                        algo = (struct ri_sr_tlv_sr_algorithm *)tlvh;
 
                        for (int i = 0; i < ntohs(algo->header.length); i++) {
@@ -2517,6 +2520,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
                        break;
 
                case RI_SR_TLV_SRGB_LABEL_RANGE:
+                       if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+                               break;
                        range = (struct ri_sr_tlv_sid_label_range *)tlvh;
                        size = GET_RANGE_SIZE(ntohl(range->size));
                        lower = GET_LABEL(ntohl(range->lower.value));
@@ -2534,6 +2539,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
                        break;
 
                case RI_SR_TLV_SRLB_LABEL_RANGE:
+                       if (TLV_BODY_SIZE(tlvh) != RI_SR_TLV_LABEL_RANGE_SIZE)
+                               break;
                        range = (struct ri_sr_tlv_sid_label_range *)tlvh;
                        size = GET_RANGE_SIZE(ntohl(range->size));
                        lower = GET_LABEL(ntohl(range->lower.value));
@@ -2551,6 +2558,8 @@ static int ospf_te_parse_ri(struct ls_ted *ted, struct ospf_lsa *lsa)
                        break;
 
                case RI_SR_TLV_NODE_MSD:
+                       if (TLV_BODY_SIZE(tlvh) < RI_SR_TLV_NODE_MSD_SIZE)
+                               break;
                        msd = (struct ri_sr_tlv_node_msd *)tlvh;
                        if ((CHECK_FLAG(node->flags, LS_NODE_MSD))
                            && (node->msd == msd->value))