From 81e27a81004a99ba9322782aaa632d03c7918a88 Mon Sep 17 00:00:00 2001 From: Quentin Young Date: Thu, 12 Dec 2019 14:53:06 -0500 Subject: [PATCH] ospfd allow fuzzing LSUPD, LSACK, LSREQ packets - Anything except HELLO wants a neighbor created, so do that - Skip some unnecessary stuff - Most stuff checks the LSDB and returns early, so skip those Signed-off-by: Quentin Young --- ospfd/ospf_neighbor.c | 4 ++++ ospfd/ospf_packet.c | 21 +++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/ospfd/ospf_neighbor.c b/ospfd/ospf_neighbor.c index 98fb54d82a..2611ffaffc 100644 --- a/ospfd/ospf_neighbor.c +++ b/ospfd/ospf_neighbor.c @@ -448,8 +448,10 @@ static struct ospf_neighbor *ospf_nbr_add(struct ospf_interface *oi, nbr_nbma->nbr = nbr; nbr->nbr_nbma = nbr_nbma; +#ifndef FUZZING if (nbr_nbma->t_poll) OSPF_POLL_TIMER_OFF(nbr_nbma->t_poll); +#endif nbr->state_change = nbr_nbma->state_change + 1; } @@ -457,8 +459,10 @@ static struct ospf_neighbor *ospf_nbr_add(struct ospf_interface *oi, } /* New nbr, save the crypto sequence number if necessary */ +#ifndef FUZZING if (ntohs(ospfh->auth_type) == OSPF_AUTH_CRYPTOGRAPHIC) nbr->crypt_seqnum = ospfh->u.crypt.crypt_seqnum; +#endif /* Configure BFD if interface has it. */ ospf_neighbor_bfd_apply(nbr); diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index ebd96a4931..145dba395a 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -1664,6 +1664,7 @@ static void ospf_ls_req(struct ip *iph, struct ospf_header *ospfh, /* Search proper LSA in LSDB. */ find = ospf_lsa_lookup(oi->ospf, oi->area, ls_type, ls_id, adv_router); +#ifndef FUZZING if (find == NULL) { OSPF_NSM_EVENT_SCHEDULE(nbr, NSM_BadLSReq); list_delete(&ls_upd); @@ -1688,9 +1689,13 @@ static void ospf_ls_req(struct ip *iph, struct ospf_header *ospfh, /* Append LSA to update list. */ listnode_add(ls_upd, find); length += ntohs(find->data->length); +#endif size -= OSPF_LSA_KEY_SIZE; } +#ifdef FUZZING + return; +#endif /* Send rest of Link State Update. */ if (listcount(ls_upd) > 0) { @@ -2124,10 +2129,12 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph, DISCARD_LSA(lsa, 4); } +#ifndef FUZZING /* Actual flooding procedure. */ if (ospf_flood(oi->ospf, nbr, current, lsa) < 0) /* Trap NSSA later. */ DISCARD_LSA(lsa, 5); +#endif continue; } @@ -3192,6 +3199,20 @@ enum ospf_read_return_enum ospf_read_helper(struct ospf *ospf) /* Adjust size to message length. */ length = ntohs(ospfh->length) - OSPF_HEADER_SIZE; +#ifdef FUZZING + /* + * Everything except hellos returns early with no neighbor found, so we + * need to make a neighbor + */ + struct prefix p; + p.family = AF_INET; + p.prefixlen = 24; + p.u.prefix4 = iph->ip_src; + + struct ospf_neighbor *n = ospf_nbr_get(oi, ospfh, iph, &p); + n->state = NSM_Exchange; +#endif + /* Read rest of the packet and call each sort of packet routine. */ switch (ospfh->type) { -- 2.39.5