From: Olivier Dugeon <olivier.dugeon@orange.com>
Date: Tue, 16 Apr 2024 14:42:06 +0000 (+0200)
Subject: ospfd: protect call to get_edge() in ospf_te.c
X-Git-Tag: docker/8.5.5~7^2~2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=1a35a2c0667b34f8472eacabde8182abb67ddee4;p=mirror%2Ffrr.git

ospfd: protect call to get_edge() in ospf_te.c

During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c
could return null pointer, in particular when the link_id or advertised router
IP addresses are fuzzed. As the null pointer returned by get_edge() function is
not handlei by calling functions, this could cause ospfd crash.

This patch introduces new verification of returned pointer by get_edge()
function and stop the processing in case of null pointer. In addition, link ID
and advertiser router ID are validated before calling ls_find_edge_by_key() to
avoid the creation of a new edge with an invalid key.

CVE-2024-34088

Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
---

diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
index 75f4e0c9f0..fe9fc65e8d 100644
--- a/ospfd/ospf_te.c
+++ b/ospfd/ospf_te.c
@@ -1686,6 +1686,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv,
 	struct ls_edge *edge;
 	struct ls_attributes *attr;
 
+	/* Check that Link ID and Node ID are valid */
+	if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) ||
+	    adv.origin != OSPFv2)
+		return NULL;
+
 	/* Search Edge that corresponds to the Link ID */
 	key = ((uint64_t)ntohl(link_id.s_addr)) & 0xffffffff;
 	edge = ls_find_edge_by_key(ted, key);
@@ -1758,6 +1763,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex,
 
 	/* Get Corresponding Edge from Link State Data Base */
 	edge = get_edge(ted, vertex->node->adv, link_data);
+	if (!edge) {
+		ote_debug("  |- Found no edge from Link Data. Abort!");
+		return;
+	}
 	attr = edge->attributes;
 
 	/* re-attached edge to vertex if needed */
@@ -2277,6 +2286,11 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
 
 	/* Get corresponding Edge from Link State Data Base */
 	edge = get_edge(ted, attr.adv, attr.standard.local);
+	if (!edge) {
+		ote_debug("  |- Found no edge from Link local add./ID. Abort!");
+		return -1;
+	}
+
 	old = edge->attributes;
 
 	ote_debug("  |- Process Traffic Engineering LSA %pI4 for Edge %pI4",
@@ -2760,6 +2774,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
 	lnid.id.ip.area_id = lsa->area->area_id;
 	ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data);
 	edge = get_edge(ted, lnid, ext->link_data);
+	if (!edge) {
+		ote_debug("  |- Found no edge from Extended Link Data. Abort!");
+		return -1;
+	}
 	atr = edge->attributes;
 
 	ote_debug("  |- Process Extended Link LSA %pI4 for edge %pI4",