Missing checking the lsa_length in ospf
Ondrej Zajicek
santiago at crfreenet.org
Wed May 3 04:41:56 CEST 2023
On Mon, Apr 24, 2023 at 03:51:22PM -0400, Mingwei Zheng wrote:
> Hi,
>
> I am doing testing work on network protocols and here is one possible issue I noticed in OSPF.
>
> I noticed that you have checked the length of lsa in your function ospf_dump_lsupd in lsupd.c <https://gitlab.nic.cz/labs/bird/-/blob/master/proto/ospf/lsupd.c>:
>
> if (((lsa_len % 4) != 0) || (lsa_len <= sizeof(struct ospf_lsa_header)))
> goto invalid;
> However in the other packet types, like LSACK and LSREQ, I didn’t see similar checking. I am worrying about whether this would be an issue.
> I would really appreciate it if anyone can have a look at it. Thank you!
Hi
LSACK and LSREQ handle just fixed-size LSA headers, not full LSAs, so
there is no reason for lsa_len checks.
--
Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
More information about the Bird-users
mailing list