[quagga-dev 8876] Re: Quagga 0.99.19 security patch causes ospfd crash

YAMAMOTO Shigeru shigeru at iij.ad.jp
Thu Sep 29 07:07:01 BST 2011


>>>>> Denis Ovsienko <infrastation at yandex.ru> writes:
> 28.09.2011, 05:03, "YAMAMOTO Shigeru" <shigeru at iij.ad.jp>:
>> Hi all,
>> 
>> ospfd in our environment is crashed after 0.99.19.
>> 
>> It is caused by 'ospfd: CVE-2011-3325 part 2 (OSPF pkt type segv)'
>> patch.  # It is already reported by Denis Ovsienko.

> Logic-wise this change looks to fix the error, which was introduced by
> my fix to the CVE. Does it resolve the crash on your side completely?

Yes.
My patch works fine.

> It has never reproduced in my environment, so I need some feedback
> before proceeding with a correcting release.

I found a simple configuration to cause ospfd crash.

neighbor A:
- starting ospfd with sample configuration.
- set follows,
  router ospf
   network 172.16.1.0/24 area 172.16.1.0

neighbor B:
- starting ospfd with sample configuration.
- set follows
  router ospf

ospfd at neighbor B is crashed when receiving hello message from neighbor A.

crash point:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 602890 (LWP 100800/ospfd)]
0x000000080087eadc in ospf_check_area_id (oi=0x0, ospfh=0x692c2c)
    at ospf_packet.c:2215
2215      if (OSPF_AREA_SAME (&oi->area, &ospfh))
(gdb) where
#0  0x000000080087eadc in ospf_check_area_id (oi=0x0, ospfh=0x692c2c)
    at ospf_packet.c:2215
#1  0x000000080087e8aa in ospf_verify_header (ibuf=0x692be8, oi=0x0, 
    iph=0x692c18, ospfh=0x692c2c) at ospf_packet.c:2332
#2  0x000000080087ed1f in ospf_read (thread=0x7fffffffd990)
    at ospf_packet.c:2459
#3  0x0000000800b1d8ab in thread_call (thread=0x7fffffffd990) at thread.c:1177
#4  0x00000000004018f9 in main (argc=5, argv=0x7fffffffdb00) at ospf_main.c:334
(gdb) print oi
$1 = (struct ospf_interface *) 0x0
(gdb) 


tcpdump: listening on lan1, link-type EN10MB (Ethernet), capture size 4096 bytes
14:59:30.331394 IP (tos 0xc0, ttl 1, id 57664, offset 0, flags [none], proto OSPF (89), length 64)
    172.16.1.1 > 224.0.0.5: OSPFv2, Hello, length 44
        Router-ID 172.16.1.1, Area 172.16.1.0, Authentication Type: none (0)
        Options [External]
          Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
          Designated Router 172.16.1.1
        0x0000:  0100 5e00 0005 0289 d800 160a 0800 45c0
        0x0010:  0040 e140 0000 0159 4a4e ac10 0101 e000
        0x0020:  0005 0201 002c ac10 0101 ac10 0100 f56a
        0x0030:  0000 0000 0000 0000 0000 ffff ff00 000a
        0x0040:  0201 0000 0028 ac10 0101 0000 0000

-------
YAMAMOTO Shigeru			Service Engineering Section
<shigeru at iij.ad.jp>			Product Development Department
					SEIL Business Unit
					Internet Initiative Japan Inc.
-------------- next part --------------
! -*- ospf -*-
!
! OSPFd sample configuration file
!
!
hostname ospfd
password zebra
!enable password please-set-at-here
!
!router ospf
!  network 192.168.1.0/24 area 0
!
log stdout
!
router ospf
 network 172.16.1.0/24 area 172.16.1.0
-------------- next part --------------
! -*- ospf -*-
!
! OSPFd sample configuration file
!
!
hostname ospfd
password zebra
!enable password please-set-at-here
!
!router ospf
!  network 192.168.1.0/24 area 0
!
log stdout
!
router ospf


More information about the Quagga-dev mailing list