[quagga-dev 10583] Re: ospfd, new_msg_lsa_change_notify: looks like a buffer overflow

David Lamparter equinox at opensourcerouting.org
Fri Jul 5 20:15:22 BST 2013


On Fri, Jul 05, 2013 at 06:57:19PM +0000, Charlet, Ricky wrote:
> Howdy and FYI,
>
> This is a success report testing Florian's patch set...
>
> I just reverted my patch and applied Florian's patch and retested in
> my network with the really-big-lsa set.  I yanked and injected my
> 150-link LSA repeatedly 6 or 7 times.
>
> Florian's patch survives/passes.

Thanks to both Florian for doing a larger audit and cooking up the
patchset and Ricky for testing!

In case anyone is wondering why there is no security hotfix release yet:
I'm pulling a middle ground between Florian's patches (which are a
little too extensive for a security-only release) and Ricky's (which is
a little too short to be correct, reading beyond limits).

Relatedly, this issue has been assigned CVE-2013-2236.

Also, for mainline/next version I'll probably cook something up that
dynamically sizes the buffers;  the OSPF API should be able to supply
full-size LSAs (64k) to its users.  Router LSA of large size can occur
in reality on devices with a large number of interfaces (i.e. VPN
routers, VLAN routers, Chassis devices, etc.)

Cheers,


-David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: Digital signature
URL: <http://lists.quagga.net/pipermail/quagga-dev/attachments/20130705/fd633a0f/attachment-0001.sig>


More information about the Quagga-dev mailing list