<html>

  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <p>Hello!</p>

    <p>I recently tested the OSPF protocol implementation with AFL

      fuzzer and found some problem, that causes invalid memory read.</p>

    <p><a class="moz-txt-link-freetext" href="https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L463">https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L463</a><br>

      The problem is that 'plen' may be less than 'hlen'.<br>

      And if this happens, then 'blen' will wraps around:<br>

    </p>

    <pre class="code highlight" lang="c"><span id="LC463" class="line" lang="c">  <span class="k">if</span> <span class="p">(</span><span class="n">ospf_is_v2</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="o">&&</span> <span class="p">(</span><span class="n">pkt</span><span class="o">-></span><span class="n">autype</span> <span class="o">!=</span> <span class="n">OSPF_AUTH_CRYPT</span><span class="p">))</span></span>

<span id="LC464" class="line" lang="c">  <span class="p">{</span></span>

<span id="LC465" class="line" lang="c">    <span class="n">uint</span> <span class="n">hlen</span> <span class="o">=</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">ospf_packet</span><span class="p">)</span> <span class="o">+</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">union</span> <span class="n">ospf_auth2</span><span class="p">);</span></span>

<span id="LC466" class="line" lang="c">    <span class="n">uint</span> <span class="n">blen</span> <span class="o">=</span> <span class="n">plen</span> <span class="o">-</span> <span class="n">hlen</span><span class="p">;</span></span>

<span id="LC467" class="line" lang="c">    <span class="kt">void</span> <span class="o">*</span><span class="n">body</span> <span class="o">=</span> <span class="p">((</span><span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="n">pkt</span><span class="p">)</span> <span class="o">+</span> <span class="n">hlen</span><span class="p">;</span></span>

<span id="LC468" class="line" lang="c"></span>

<span id="LC469" class="line" lang="c">    <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">ipsum_verify</span><span class="p">(</span><span class="n">pkt</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">ospf_packet</span><span class="p">),</span> <span class="n">body</span><span class="p">,</span> <span class="n">blen</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">))</span></span>

<span id="LC470" class="line" lang="c">      <span class="n">DROP</span><span class="p">(</span><span class="s">"invalid checksum"</span><span class="p">,</span> <span class="n">ntohs</span><span class="p">(</span><span class="n">pkt</span><span class="o">-></span><span class="n">checksum</span><span class="p">));</span></span>

<span id="LC471" class="line" lang="c">  <span class="p">}</span></span>

</pre>

    <p>'plen' declared here:

<a class="moz-txt-link-freetext" href="https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L443">https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L443</a></p>

    <pre class="code highlight" lang="c"><span id="LC443" class="line hll" lang="c">  <span class="n">uint</span> <span class="n">plen</span> <span class="o">=</span> <span class="n">ntohs</span><span class="p">(</span><span class="n">pkt</span><span class="o">-></span><span class="n">length</span><span class="p">);</span></span>

<span id="LC444" class="line" lang="c">  <span class="k">if</span> <span class="p">((</span><span class="n">plen</span> <span class="o"><</span> <span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">ospf_packet</span><span class="p">))</span> <span class="o">||</span> <span class="p">((</span><span class="n">plen</span> <span class="o">%</span> <span class="mi">4</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">))</span></span>

<span id="LC445" class="line" lang="c">    <span class="n">DROP</span><span class="p">(</span><span class="s">"invalid length"</span><span class="p">,</span> <span class="n">plen</span><span class="p">);</span></span></pre>

    <pre class="code highlight" lang="c"><span id="LC445" class="line" lang="c"><span class="p"></span></span></pre>

    <pre class="moz-signature" cols="72">-- 

Best regards,

Slava Aseev</pre>

  </body>

</html>