From 9b18d58e17d7e84f17114e5f4a6461dd7e250580 Mon Sep 17 00:00:00 2001
From: Nitin Soni <nsoni@cumulusnetworks.com>
Date: Thu, 24 Jan 2019 00:44:42 -0800
Subject: [PATCH] ospfd: ospfd core if hello packet exceeds link MTU

Ospfd cored because of an assert when we try to write more than the MTU
size to the ospf packet buffer stream. The problem is - we allocate only MTU
sized buffer. The expectation is that Hello packets are never large
enough to approach MTU. Instead of crashing, this fix discards hello and
logs an error. One should not have so many neighbors behind an
interface.

Ticket: CM-22380
Signed-off-by: Nitin Soni <nsoni@cumulusnetworks.com>
Reviewed-by: CCR-8204
---
 ospfd/ospf_errors.c |  9 +++++++++
 ospfd/ospf_errors.h |  1 +
 ospfd/ospf_packet.c | 15 +++++++++++++++
 3 files changed, 25 insertions(+)

diff --git a/ospfd/ospf_errors.c b/ospfd/ospf_errors.c
index 566fc29202..b912a80692 100644
--- a/ospfd/ospf_errors.c
+++ b/ospfd/ospf_errors.c
@@ -169,6 +169,15 @@ static struct log_ref ferr_ospf_err[] = {
 		.description = "OSPF has attempted to change states when it should not be able to",
 		.suggestion = "Gather log files and open an issue",
 	},
+	{
+		.code = EC_OSPF_LARGE_HELLO,
+		.title = "OSPF Encountered a Large Hello",
+		.description = "OSPF attempted to send a Hello larger than MTU "
+					   "but did not",
+		.suggestion = "Too many neighbors configured on a single interface."
+					  " Suggestion is to decrease the number of neighbors on"
+					  " a single interface/subnet"
+	},
 	{
 		.code = END_FERR,
 	}
diff --git a/ospfd/ospf_errors.h b/ospfd/ospf_errors.h
index cea649a6f4..726f7d9c8b 100644
--- a/ospfd/ospf_errors.h
+++ b/ospfd/ospf_errors.h
@@ -47,6 +47,7 @@ enum ospf_log_refs {
 	EC_OSPF_LSA_MISSING,
 	EC_OSPF_PTP_NEIGHBOR,
 	EC_OSPF_LSA_SIZE,
+	EC_OSPF_LARGE_HELLO,
 };
 
 extern void ospf_error_init(void);
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 3bb3b79a6a..5320e77288 100644
--- a/ospfd/ospf_packet.c
+++ b/ospfd/ospf_packet.c
@@ -3309,6 +3309,16 @@ static int ospf_make_hello(struct ospf_interface *oi, struct stream *s)
 										.prefix4))
 								flag = 1;
 
+							/* Hello packet overflows interface MTU. */
+							if (length + sizeof(uint32_t)
+								> ospf_packet_max(oi)) {
+								flog_err(
+									EC_OSPF_LARGE_HELLO,
+									"Oversized Hello packet!"
+									" Larger than MTU. Not sending it out");
+								return 0;
+							}
+
 							stream_put_ipv4(
 								s,
 								nbr->router_id
@@ -3578,6 +3588,11 @@ static void ospf_hello_send_sub(struct ospf_interface *oi, in_addr_t addr)
 
 	/* Prepare OSPF Hello body. */
 	length += ospf_make_hello(oi, op->s);
+	if (length == OSPF_HEADER_SIZE) {
+		/* Hello overshooting MTU */
+		ospf_packet_free(op);
+		return;
+	}
 
 	/* Fill OSPF header. */
 	ospf_fill_header(oi, op->s, length);
-- 
2.39.5