diff options
| author | Olivier Dugeon <olivier.dugeon@orange.com> | 2024-02-26 10:40:34 +0100 |
|---|---|---|
| committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-02-27 15:42:49 +0000 |
| commit | 9bc006048711226c1484de04738487ce9bbcfd0c (patch) | |
| tree | d67bd030fd251cfa9d6ba07179ca0dc5b4bd7d51 /ospfd | |
| parent | 8b02d3efe13118b1228c269f1a9272586bdee942 (diff) | |
ospfd: Solved crash in OSPF TE parsing
Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA
packets. The crash occurs in ospf_te_parse_te() function when attemping to
create corresponding egde from TE Link parameters. If there is no local
address, an edge is created but without any attributes. During parsing, the
function try to access to this attribute fields which has not been created
causing an ospfd crash.
The patch simply check if the te parser has found a valid local address. If not
found, we stop the parser which avoid the crash.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
(cherry picked from commit a73e66d07329d721f26f3f336f7735de420b0183)
Diffstat (limited to 'ospfd')
| -rw-r--r-- | ospfd/ospf_te.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c index d203b5ef4d..1a01bf77b8 100644 --- a/ospfd/ospf_te.c +++ b/ospfd/ospf_te.c @@ -2245,6 +2245,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) } /* Get corresponding Edge from Link State Data Base */ + if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) { + ote_debug(" |- Found no TE Link local address/ID. Abort!"); + return -1; + } edge = get_edge(ted, attr.adv, attr.standard.local); old = edge->attributes; |