[quagga-dev 10586] Re: [PATCH] ospfd: CVE-2013-2236, stack overrun in apiserver

Florian Weimer fweimer at redhat.com
Tue Jul 9 08:50:54 BST 2013


On 07/08/2013 11:06 PM, David Lamparter wrote:
> @@ -627,13 +635,16 @@ new_msg_lsa_change_notify (u_char msgtype,
>     assert (data);
>
>     nmsg = (struct msg_lsa_change_notify *) buf;
> -  len = ntohs (data->length) + sizeof (struct msg_lsa_change_notify)
> -    - sizeof (struct lsa_header);
>     nmsg->ifaddr = ifaddr;
>     nmsg->area_id = area_id;
>     nmsg->is_self_originated = is_self_originated;
>     memset (&nmsg->pad, 0, sizeof (nmsg->pad));
> -  memcpy (&nmsg->data, data, ntohs (data->length));
> +
> +  len = ntohs (data->length);
> +  if (len > sizeof (buf) - offsetof (struct msg_lsa_change_notify, data))
> +    len = sizeof (buf) - offsetof (struct msg_lsa_change_notify, data);
> +  memcpy (&nmsg->data, data, len);
> +  len += sizeof (struct msg_lsa_change_notify) - sizeof (struct lsa_header);
>
>     return msg_new (msgtype, nmsg, seqnum, len);
>   }

I'm worried that this leaves data->length inconsistent with the outer 
PDU length.  This might confuse further processing.

-- 
Florian Weimer / Red Hat Product Security Team




More information about the Quagga-dev mailing list