[quagga-dev 10582] Re: ospfd, new_msg_lsa_change_notify: looks like a buffer overflow

Charlet, Ricky ricky.charlet at hp.com
Fri Jul 5 19:57:19 BST 2013

Howdy and FYI,

	This is a success report testing Florian's patch set... 

	I just reverted my patch and applied Florian's patch and retested in my network with the really-big-lsa set.  I yanked and injected my 150-link LSA repeatedly 6 or 7 times.
	Florian's patch survives/passes.

Ricky Charlet
Software Dev / Routing Dude: Aries team, Roseville CA
ricky.charlet at hp.com
USA: 916.785.2090

-----Original Message-----
From: Florian Weimer [mailto:fweimer at redhat.com] 
Sent: Thursday, July 04, 2013 6:11 AM
To: Charlet, Ricky
Cc: quagga-dev at lists.quagga.net
Subject: Re: [quagga-dev 10568] ospfd, new_msg_lsa_change_notify: looks like a buffer overflow

On 07/02/2013 08:09 PM, Charlet, Ricky wrote:

> Index: ospfd/ospf_api.c
> ===================================================================
> --- ospfd/ospf_api.c    (revision 10875)
> +++ ospfd/ospf_api.c    (working copy)
> @@ -639,7 +639,7 @@
>     nmsg->area_id = area_id;
>     nmsg->is_self_originated = is_self_originated;
>     memset (&nmsg->pad, 0, sizeof (nmsg->pad));
> -  memcpy (&nmsg->data, data, ntohs (data->length));
> +  memcpy (&nmsg->data, data, sizeof(struct lsa_header));
>     return msg_new (msgtype, nmsg, seqnum, len);
>   }

I believe this still leaves an opportunity for a read buffer overflow in msg_new.

I'm attaching the patches I've got.  ospf_packet.c appears to ensure the sanity of the data->length member, and the callers of the new_msg_* functions appear cope with a NULL return value.  Consequently, I think this approach is okay.  But I have not actually tested it.  Ricky, can you help with that?

I also added hardening in a few similar places.

These patches are also available from
<https://github.com/fweimer/quagga.git>, branch ospf_api-overflow.  I'm not sure if they are based on the most recent sources, though.

Florian Weimer / Red Hat Product Security Team

More information about the Quagga-dev mailing list