diff options
Diffstat (limited to 'ospfd/ospf_packet.c')
| -rw-r--r-- | ospfd/ospf_packet.c | 38 |
1 files changed, 32 insertions, 6 deletions
diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index 3bb3b79a6a..b3c91b9006 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -148,7 +148,7 @@ void ospf_packet_free(struct ospf_packet *op) XFREE(MTYPE_OSPF_PACKET, op); } -struct ospf_fifo *ospf_fifo_new() +struct ospf_fifo *ospf_fifo_new(void) { struct ospf_fifo *new; @@ -2098,10 +2098,22 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph, if (current == NULL || (ret = ospf_lsa_more_recent(current, lsa)) < 0) { + /* CVE-2017-3224 */ + if (current && (lsa->data->ls_seqnum == + htonl(OSPF_MAX_SEQUENCE_NUMBER) + && !IS_LSA_MAXAGE(lsa))) { + zlog_debug( + "Link State Update[%s]: has Max Seq but not MaxAge. Dropping it", + dump_lsa_key(lsa)); + + DISCARD_LSA(lsa, 4); + continue; + } + /* Actual flooding procedure. */ if (ospf_flood(oi->ospf, nbr, current, lsa) < 0) /* Trap NSSA later. */ - DISCARD_LSA(lsa, 4); + DISCARD_LSA(lsa, 5); continue; } @@ -2158,7 +2170,7 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph, oi->ls_ack, ospf_lsa_lock(lsa)); - DISCARD_LSA(lsa, 5); + DISCARD_LSA(lsa, 6); } else /* Acknowledge the receipt of the LSA by sending a Link State Acknowledgment packet back out the @@ -2166,7 +2178,7 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph, interface. */ { ospf_ls_ack_send(nbr, lsa); - DISCARD_LSA(lsa, 6); + DISCARD_LSA(lsa, 7); } } @@ -2183,7 +2195,7 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph, if (IS_LSA_MAXAGE(current) && current->data->ls_seqnum == htonl(OSPF_MAX_SEQUENCE_NUMBER)) { - DISCARD_LSA(lsa, 7); + DISCARD_LSA(lsa, 8); } /* Otherwise, as long as the database copy has not been sent in a @@ -2206,7 +2218,7 @@ static void ospf_ls_upd(struct ospf *ospf, struct ip *iph, ospf_ls_upd_send_lsa( nbr, current, OSPF_SEND_PACKET_DIRECT); - DISCARD_LSA(lsa, 8); + DISCARD_LSA(lsa, 9); } } } @@ -3309,6 +3321,15 @@ static int ospf_make_hello(struct ospf_interface *oi, struct stream *s) .prefix4)) flag = 1; + /* Hello packet overflows interface MTU. */ + if (length + sizeof(uint32_t) + > ospf_packet_max(oi)) { + flog_err( + EC_OSPF_LARGE_HELLO, + "Oversized Hello packet! Larger than MTU. Not sending it out"); + return 0; + } + stream_put_ipv4( s, nbr->router_id @@ -3578,6 +3599,11 @@ static void ospf_hello_send_sub(struct ospf_interface *oi, in_addr_t addr) /* Prepare OSPF Hello body. */ length += ospf_make_hello(oi, op->s); + if (length == OSPF_HEADER_SIZE) { + /* Hello overshooting MTU */ + ospf_packet_free(op); + return; + } /* Fill OSPF header. */ ospf_fill_header(oi, op->s, length); |