[quagga-dev 8871] Quagga 0.99.19 security patch causes ospfd crash

YAMAMOTO Shigeru shigeru at iij.ad.jp
Wed Sep 28 02:03:25 BST 2011

Hi all,

ospfd in our environment is crashed after 0.99.19.

It is caused by 'ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)' patch.
# It is already reported by Denis Ovsienko.

In 'ospf_read()',

   2455   /* associate packet with ospf interface */
   2456   oi = ospf_if_lookup_recv_if (ospf, iph->ip_src, ifp);
   2458   /* Verify header fields before any further processing. */
   2459   ret = ospf_verify_header (ibuf, oi, iph, ospfh);

'oi' is NULL when 'ospf_if_lookup_recv_if()' returns NULL.

In that case, ospfd is crashed at 'ospf_verify_header()',

   2331   /* Check Area ID. */
   2332   if (!ospf_check_area_id (oi, ospfh))

by accessing NULL pointer.

I make a patch to change a place calling 'ospf_verify_header()'.

YAMAMOTO Shigeru			Service Engineering Section
<shigeru at iij.ad.jp>			Product Development Department
					SEIL Business Unit
					Internet Initiative Japan Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-commit-717750433839762d23a5f8d88fe0b4d57c8d490a-caus.patch
Type: text/x-patch
Size: 1898 bytes
Desc: not available
URL: <http://lists.quagga.net/pipermail/quagga-dev/attachments/20110928/d38f2454/attachment-0001.bin>

More information about the Quagga-dev mailing list