invalid memory read in proto/ospf/packet.c
Kenth Eriksson
Kenth.Eriksson at infinera.com
Mon Jun 8 13:00:23 CEST 2020
On Mon, 2020-06-08 at 13:18 +0300, Slava Aseev wrote:
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> Hello!
>
> I recently tested the OSPF protocol implementation with AFL fuzzer and found some problem, that causes invalid memory read.
>
> https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L463
> The problem is that 'plen' may be less than 'hlen'.
> And if this happens, then 'blen' will wraps around:
>
> if (ospf_is_v2(p) && (pkt->autype != OSPF_AUTH_CRYPT))
> {
> uint hlen = sizeof(struct ospf_packet) + sizeof(union ospf_auth2);
> uint blen = plen - hlen;
> void *body = ((void *) pkt) + hlen;
>
> if (!ipsum_verify(pkt, sizeof(struct ospf_packet), body, blen, NULL))
> DROP("invalid checksum", ntohs(pkt->checksum));
> }
> 'plen' declared here: https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L443
>
> uint plen = ntohs(pkt->length);
> if ((plen < sizeof(struct ospf_packet)) || ((plen % 4) != 0))
> DROP("invalid length", plen);
I had a similar issue, fixed in master by this commit
https://gitlab.labs.nic.cz/labs/bird/-/commit/9f2670277cc0d56d3364d4784348056174175aba
But this happened only with OSPF authentication.
More information about the Bird-users
mailing list