diff options
| author | Denis Ovsienko <infrastation@yandex.ru> | 2011-09-26 13:18:51 +0400 |
|---|---|---|
| committer | Denis Ovsienko <infrastation@yandex.ru> | 2011-09-26 18:47:16 +0400 |
| commit | abc7ef44ca05493500865ce81f7b84f5c4eb6594 (patch) | |
| tree | 35504952c627e93203df81ebd5c96023879df00b /ospf6d/ospf6_intra.h | |
| parent | 09395e2a0e93b2cf4258cb1de91887948796bb68 (diff) | |
ospf6d: CVE-2011-3323 (fortify packet reception)
This vulnerability (CERT-FI #514840) was reported by CROSS project.
ospf6d processes IPv6 prefix structures in incoming packets without
verifying that the declared prefix length is valid. This leads to a
crash
caused by out of bounds memory access.
* ospf6_abr.h: new macros for size/alignment validation
* ospf6_asbr.h: idem
* ospf6_intra.h: idem
* ospf6_lsa.h: idem
* ospf6_message.h: idem
* ospf6_proto.h: idem
* ospf6_message.c
* ospf6_packet_minlen: helper array for ospf6_packet_examin()
* ospf6_lsa_minlen: helper array for ospf6_lsa_examin()
* ospf6_hello_recv(): do not call ospf6_header_examin(), let upper
layer verify the input data
* ospf6_dbdesc_recv(): idem
* ospf6_lsreq_recv(): idem
* ospf6_lsupdate_recv(): idem
* ospf6_lsack_recv(): idem
* ospf6_prefixes_examin(): new function, implements A.4.1
* ospf6_lsa_examin(): new function, implements A.4
* ospf6_lsaseq_examin(): new function, an interface to above
* ospf6_packet_examin(): new function, implements A.3
* ospf6_rxpacket_examin(): new function, replaces
ospf6_header_examin()
* ospf6_header_examin(): sayonara
* ospf6_receive(): perform passive interface check earliest possible,
employ ospf6_rxpacket_examin()
Diffstat (limited to 'ospf6d/ospf6_intra.h')
| -rw-r--r-- | ospf6d/ospf6_intra.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ospf6d/ospf6_intra.h b/ospf6d/ospf6_intra.h index 31643fd89d..3810174ea6 100644 --- a/ospf6d/ospf6_intra.h +++ b/ospf6d/ospf6_intra.h @@ -69,6 +69,7 @@ extern u_int32_t conf_debug_ospf6_brouter_specific_area_id; conf_debug_ospf6_brouter_specific_area_id == (area_id)) /* Router-LSA */ +#define OSPF6_ROUTER_LSA_MIN_SIZE 4U struct ospf6_router_lsa { u_char bits; @@ -77,6 +78,7 @@ struct ospf6_router_lsa }; /* Link State Description in Router-LSA */ +#define OSPF6_ROUTER_LSDESC_FIX_SIZE 16U struct ospf6_router_lsdesc { u_char type; @@ -105,6 +107,7 @@ struct ospf6_router_lsdesc (((struct ospf6_router_lsdesc *)(x))->neighbor_router_id) /* Network-LSA */ +#define OSPF6_NETWORK_LSA_MIN_SIZE 4U struct ospf6_network_lsa { u_char reserved; @@ -113,6 +116,7 @@ struct ospf6_network_lsa }; /* Link State Description in Router-LSA */ +#define OSPF6_NETWORK_LSDESC_FIX_SIZE 4U struct ospf6_network_lsdesc { u_int32_t router_id; @@ -121,6 +125,7 @@ struct ospf6_network_lsdesc (((struct ospf6_network_lsdesc *)(x))->router_id) /* Link-LSA */ +#define OSPF6_LINK_LSA_MIN_SIZE 24U /* w/o 1st IPv6 prefix */ struct ospf6_link_lsa { u_char priority; @@ -131,6 +136,7 @@ struct ospf6_link_lsa }; /* Intra-Area-Prefix-LSA */ +#define OSPF6_INTRA_PREFIX_LSA_MIN_SIZE 12U /* w/o 1st IPv6 prefix */ struct ospf6_intra_prefix_lsa { u_int16_t prefix_num; |