[Xorp-cvs] XORP cvs commit: xorp/ospf
Atanu Ghosh
atanu at icir.org
Sun Oct 15 23:50:04 PDT 2006
CVSROOT: /usr/local/www/data/cvs
Module name: xorp
Changes by: atanu at xorpc.icir.org 2006-10-16 06:50:04 UTC
XORP CVS repository
Modified files:
ospf lsa.cc test_packet.cc
Added files:
ospf packet1.data
Log message:
The length field in LSAs was not being correctly validated, a length of
0 or 1 caused OSPF to crash.
It is verified that the LSA length field falls within the packet. It
is also verified that that packet is large enough to contain an LSA of
the type being decoded.
The missing check was that the length field in the LSA was not too
small, this should not have been a problem as the decoding routine
would eventually have detected the length mismatch. The problem was
that before decoding of an LSA is started its checksum is verified
using the length of the LSA contained in the LSA, the length has two
subtracted from it before being passed to the verification
routine. The verification routine expects an unsigned length (1 - 2)
gives a buffer length of 4294967295 (0xffffffff), which eventually
causes a crash.
The length field in the packet is now checked to make sure that it
meets the minimum LSA size requirement for the LSA being decoded.
The offending packet from the trace that was provided is in
packet1.data and a test has been added to test_packet:
$ ./test_packet -v -t packet_decode_bad1V2
Bugzilla URL: http://www.xorp.org/bugzilla/show_bug.cgi?id=664
Bug found by: Mu Security (security AT musecurity.com)
Revision Changes Path
1.72 +19 -10; commitid: 127c445332b9a7ea6; xorp/ospf/lsa.cc
1.1 +34 -0 xorp/ospf/packet1.data (new)
1.41 +34 -1; commitid: 127c445332b9a7ea6; xorp/ospf/test_packet.cc
More information about the Xorp-cvs
mailing list