Missing checking the lsa_length in ospf
Hi, I am doing testing work on network protocols and here is one possible issue I noticed in OSPF. I noticed that you have checked the length of lsa in your function ospf_dump_lsupd in lsupd.c <https://gitlab.nic.cz/labs/bird/-/blob/master/proto/ospf/lsupd.c>: if (((lsa_len % 4) != 0) || (lsa_len <= sizeof(struct ospf_lsa_header))) goto invalid; However in the other packet types, like LSACK and LSREQ, I didn’t see similar checking. I am worrying about whether this would be an issue. I would really appreciate it if anyone can have a look at it. Thank you! Best Mingwei
On Mon, Apr 24, 2023 at 03:51:22PM -0400, Mingwei Zheng wrote:
Hi,
I am doing testing work on network protocols and here is one possible issue I noticed in OSPF.
I noticed that you have checked the length of lsa in your function ospf_dump_lsupd in lsupd.c <https://gitlab.nic.cz/labs/bird/-/blob/master/proto/ospf/lsupd.c>:
if (((lsa_len % 4) != 0) || (lsa_len <= sizeof(struct ospf_lsa_header))) goto invalid; However in the other packet types, like LSACK and LSREQ, I didn’t see similar checking. I am worrying about whether this would be an issue. I would really appreciate it if anyone can have a look at it. Thank you!
Hi LSACK and LSREQ handle just fixed-size LSA headers, not full LSAs, so there is no reason for lsa_len checks. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (2)
-
Mingwei Zheng -
Ondrej Zajicek