Re: Touble ospf md5 authentication
On Fri, Mar 19, 2010 at 05:52:04PM +0159, Vitaliy Kolodinsky wrote:
In area 0.0.0.2 works some Cisco routers, Quagga and experimental BIRD. Cisco and Quagga work perfectly together. Cisco at the end of OSPF Hello packet sent LLS Data Block. Quagga this unit is not sending. LLS Data Block is mentioned in the IETF RFC 4813 May participate in the testing.
Hello Could you try attached patch to BIRD 1.2.1? That should fix this issue. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Dear, Ondrej Zajicek. Вы писали 20 марта 2010 г., 3:30:42:
diff -uprN bird-1.2.1/proto/ospf/packet.c bird-1.2.1-/proto/ospf/packet.c --- bird-1.2.1/proto/ospf/packet.c 2010-01-14 11:06:27.000000000 +0100 +++ bird-1.2.1-/proto/ospf/packet.c 2010-03-19 19:24:47.000000000 +0100 @@ -179,7 +179,7 @@ ospf_pkt_checkauth(struct ospf_neighbor return 0; }
- if (ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE != size) + if (ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE < size) { OSPF_TRACE(D_PACKETS, "OSPF_auth: size mismatch (%d vs %d)", ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE, size);
The patch does not work. If the IP packet contains the LLS block, the size ntohs (pkt-> length) + OSPF_AUTH_CRYPT_SIZE and so will be less than the size of an IP packet, as the size of the LLS block included in size IP packet. We must either somehow assume the size of LLS block or remove all checks on the size of the package. -- Best regards, Vitaliy Kolodinsky BYVK-RIPE ISP Atlant Telecom kolodinsky@telecom.by
On Mon, Mar 22, 2010 at 10:31:32AM +0200, Vitaliy Kolodinsky wrote:
Dear, Ondrej Zajicek.
?? ?????? 20 ????? 2010 ?., 3:30:42:
diff -uprN bird-1.2.1/proto/ospf/packet.c bird-1.2.1-/proto/ospf/packet.c --- bird-1.2.1/proto/ospf/packet.c 2010-01-14 11:06:27.000000000 +0100 +++ bird-1.2.1-/proto/ospf/packet.c 2010-03-19 19:24:47.000000000 +0100 @@ -179,7 +179,7 @@ ospf_pkt_checkauth(struct ospf_neighbor return 0; }
- if (ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE != size) + if (ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE < size) { OSPF_TRACE(D_PACKETS, "OSPF_auth: size mismatch (%d vs %d)", ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE, size);
The patch does not work. If the IP packet contains the LLS block, the size
I am sorry for a mistake, there should be the opposite inequality. The content of the LLS block might be ignored, but we must ensure that we access valid data. The fixed patch is attached. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Dear, Ondrej Zajicek. Вы писали 22 марта 2010 г., 14:57:44:
On Mon, Mar 22, 2010 at 10:31:32AM +0200, Vitaliy Kolodinsky wrote: I am sorry for a mistake, there should be the opposite inequality. The content of the LLS block might be ignored, but we must ensure that we access valid data. The fixed patch is attached.
Many thanks. It works. :) -- Best regards, Vitaliy Kolodinsky BYVK-RIPE ISP Atlant Telecom kolodinsky@telecom.by
participants (2)
-
Ondrej Zajicek -
Vitaliy Kolodinsky