[quagga-dev 10571] Re: ospfd, new_msg_lsa_change_notify: looks like a buffer overflow

Florian Weimer fweimer at redhat.com
Thu Jul 4 14:11:20 BST 2013


On 07/02/2013 08:09 PM, Charlet, Ricky wrote:

> Index: ospfd/ospf_api.c
> ===================================================================
> --- ospfd/ospf_api.c    (revision 10875)
> +++ ospfd/ospf_api.c    (working copy)
> @@ -639,7 +639,7 @@
>     nmsg->area_id = area_id;
>     nmsg->is_self_originated = is_self_originated;
>     memset (&nmsg->pad, 0, sizeof (nmsg->pad));
> -  memcpy (&nmsg->data, data, ntohs (data->length));
> +  memcpy (&nmsg->data, data, sizeof(struct lsa_header));
>
>     return msg_new (msgtype, nmsg, seqnum, len);
>   }

I believe this still leaves an opportunity for a read buffer overflow in 
msg_new.

I'm attaching the patches I've got.  ospf_packet.c appears to ensure the 
sanity of the data->length member, and the callers of the new_msg_* 
functions appear cope with a NULL return value.  Consequently, I think 
this approach is okay.  But I have not actually tested it.  Ricky, can 
you help with that?

I also added hardening in a few similar places.

These patches are also available from
<https://github.com/fweimer/quagga.git>, branch ospf_api-overflow.  I'm 
not sure if they are based on the most recent sources, though.

-- 
Florian Weimer / Red Hat Product Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-ospf_api-Fix-on-stack-buffer-alignment.patch
Type: text/x-patch
Size: 4510 bytes
Desc: not available
URL: <http://lists.quagga.net/pipermail/quagga-dev/attachments/20130704/b4956b5c/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-ospf_api-Add-buffer-size-checks-to-new_msg_-function.patch
Type: text/x-patch
Size: 2614 bytes
Desc: not available
URL: <http://lists.quagga.net/pipermail/quagga-dev/attachments/20130704/b4956b5c/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-new_msg_register_event-new_msg_sync_lsdb-Copy-filter.patch
Type: text/x-patch
Size: 2237 bytes
Desc: not available
URL: <http://lists.quagga.net/pipermail/quagga-dev/attachments/20130704/b4956b5c/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-ospf_apiclient_lsa_originate-Fix-on-stack-buffer-ali.patch
Type: text/x-patch
Size: 2011 bytes
Desc: not available
URL: <http://lists.quagga.net/pipermail/quagga-dev/attachments/20130704/b4956b5c/attachment-0008.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-ospf_apiclient_lsa_originate-Guard-against-excessive.patch
Type: text/x-patch
Size: 1059 bytes
Desc: not available
URL: <http://lists.quagga.net/pipermail/quagga-dev/attachments/20130704/b4956b5c/attachment-0009.bin>


More information about the Quagga-dev mailing list