From 44d1115ad6e7c01090d95480a27bd4484c91ffc5 Mon Sep 17 00:00:00 2001 From: Mobashshera Rasool Date: Fri, 3 Sep 2021 04:52:23 -0700 Subject: [PATCH] ospfd: ANVL Test case 25.22, 25.23 and 28.11 fixes ANVL Test case 28.11 If the database copy has LS age equal to MaxAge and LS sequence number equal to MaxSequenceNumber, simply discard the received LSA without acknowledging it. ANVL Test Case 25.22 When an attempt is made to increment the sequence number past the maximum value of N - 1 (0x7fffffff; also referred to as MaxSequenceNumber), the current instance of the LSA must first be flushed from the routing domain. ANVL Test Case 25.23 As soon as this flooding of a LSA with LS sequence number MaxSequenceNumber has been acknowledged by all adjacent neighbors, a new instance can be originated with sequence number of InitialSequenceNumber. RCA: When IXIA sent LS Seq num as MAX and LS Age as (MAX - 3), DUT dropped the packet instead of sending ACK. In function ospf_ls_upd, at Line 2106 the code is there to drop the LSA. Hence its failing. Fix: LSAs ACK must be sent when received LSA is having max sequence number but not max-aged. Considering /* CVE-2017-3224 */ issue, have corrected the existing code to prevent attacker from sending LSAs with max sequence number and higher checksum and blocking the flooding of the Max-sequence numbered LSAs. Signed-off-by: Mobashshera Rasool --- ospfd/ospf_lsa.h | 2 ++ ospfd/ospf_packet.c | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ospfd/ospf_lsa.h b/ospfd/ospf_lsa.h index d01dc720ba..f536c311f9 100644 --- a/ospfd/ospf_lsa.h +++ b/ospfd/ospf_lsa.h @@ -218,6 +218,8 @@ struct as_external_lsa { #define LS_AGE(x) (OSPF_LSA_MAXAGE < get_age(x) ? OSPF_LSA_MAXAGE : get_age(x)) #define IS_LSA_SELF(L) (CHECK_FLAG ((L)->flags, OSPF_LSA_SELF)) #define IS_LSA_MAXAGE(L) (LS_AGE ((L)) == OSPF_LSA_MAXAGE) +#define IS_LSA_MAX_SEQ(L) \ + ((L)->data->ls_seqnum == htonl(OSPF_MAX_SEQUENCE_NUMBER)) #define OSPF_LSA_UPDATE_DELAY 2 diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index 9930b0bd49..8a76e265bc 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -2089,11 +2089,11 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph, if (current == NULL || (ret = ospf_lsa_more_recent(current, lsa)) < 0) { /* CVE-2017-3224 */ - if (current && (lsa->data->ls_seqnum == - htonl(OSPF_MAX_SEQUENCE_NUMBER) - && !IS_LSA_MAXAGE(lsa))) { + if (current && (IS_LSA_MAX_SEQ(current)) + && (IS_LSA_MAX_SEQ(lsa)) + && !IS_LSA_MAXAGE(lsa)) { zlog_debug( - "Link State Update[%s]: has Max Seq but not MaxAge. Dropping it", + "Link State Update[%s]: has Max Seq and higher checksum but not MaxAge. Dropping it", dump_lsa_key(lsa)); DISCARD_LSA(lsa, 4); -- 2.39.5