[Xorp-cvs] XORP cvs commit: xorp/ospf

Atanu Ghosh atanu at icir.org
Sun Oct 15 23:50:04 PDT 2006


CVSROOT:	/usr/local/www/data/cvs
Module name:	xorp
Changes by:	atanu at xorpc.icir.org	2006-10-16 06:50:04 UTC

XORP CVS repository


Modified files:
	ospf          lsa.cc test_packet.cc 

Added files:
	ospf          packet1.data 

Log message:
	The length field in LSAs was not being correctly validated, a length of
	0 or 1 caused OSPF to crash.
	
	It is verified that the LSA length field falls within the packet. It
	is also verified that that packet is large enough to contain an LSA of
	the type being decoded.
	
	The missing check was that the length field in the LSA was not too
	small, this should not have been a problem as the decoding routine
	would eventually have detected the length mismatch. The problem was
	that before decoding of an LSA is started its checksum is verified
	using the length of the LSA contained in the LSA, the length has two
	subtracted from it before being passed to the verification
	routine. The verification routine expects an unsigned length (1 - 2)
	gives a buffer length of 4294967295 (0xffffffff), which eventually
	causes a crash.
	
	The length field in the packet is now checked to make sure that it
	meets the minimum LSA size requirement for the LSA being decoded.
	
	The offending packet from the trace that was provided is in
	packet1.data and a test has been added to test_packet:
	$ ./test_packet -v -t packet_decode_bad1V2
	
	Bugzilla URL:   http://www.xorp.org/bugzilla/show_bug.cgi?id=664
	Bug found by:   Mu Security (security AT musecurity.com)

Revision  Changes                                 Path
1.72      +19 -10;  commitid: 127c445332b9a7ea6;  xorp/ospf/lsa.cc
1.1       +34 -0                                  xorp/ospf/packet1.data (new)
1.41      +34 -1;  commitid: 127c445332b9a7ea6;   xorp/ospf/test_packet.cc



More information about the Xorp-cvs mailing list