From: CROSS <info@codenomicon.com>
Date: Mon, 26 Sep 2011 09:17:21 +0000 (+0400)
Subject: ospfd: CVE-2011-3326 (uknown LSA type segfault)
X-Git-Tag: frr-2.0-rc1~1918^2~98
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=af143a26ef96ba9be7b9c0b151b7605e1c2c74cd;p=mirror%2Ffrr.git

ospfd: CVE-2011-3326 (uknown LSA type segfault)

This vulnerability (CERT-FI #514837) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.

Quagga ospfd does not seem to handle unknown LSA types in a Link State
Update message correctly. If LSA type is something else than one
supported
by Quagga, the default handling of unknown types leads to an error.

* ospf_flood.c
  * ospf_flood(): check return value of ospf_lsa_install()
---

diff --git a/ospfd/ospf_flood.c b/ospfd/ospf_flood.c
index 41661da2f4..fc0bbf1268 100644
--- a/ospfd/ospf_flood.c
+++ b/ospfd/ospf_flood.c
@@ -319,7 +319,8 @@ ospf_flood (struct ospf *ospf, struct ospf_neighbor *nbr,
      procedure cannot overwrite the newly installed LSA until
      MinLSArrival seconds have elapsed. */  
 
-  new = ospf_lsa_install (ospf, nbr->oi, new);
+  if (! (new = ospf_lsa_install (ospf, nbr->oi, new)))
+    return 0; /* unknown LSA type */
 
   /* Acknowledge the receipt of the LSA by sending a Link State
      Acknowledgment packet back out the receiving interface. */