invalid memory read in proto/ospf/packet.c
Hello! I recently tested the OSPF protocol implementation with AFL fuzzer and found some problem, that causes invalid memory read. https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L463 The problem is that 'plen' may be less than 'hlen'. And if this happens, then 'blen' will wraps around: if (ospf_is_v2(p) && (pkt->autype != OSPF_AUTH_CRYPT)) { uint hlen = sizeof(struct ospf_packet) + sizeof(union ospf_auth2); uint blen = plen - hlen; void *body = ((void *) pkt) + hlen; if (!ipsum_verify(pkt, sizeof(struct ospf_packet), body, blen, NULL)) DROP("invalid checksum", ntohs(pkt->checksum)); } 'plen' declared here: https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L443 uint plen = ntohs(pkt->length); if ((plen < sizeof(struct ospf_packet)) || ((plen % 4) != 0)) DROP("invalid length", plen); -- Best regards, Slava Aseev
On Mon, 2020-06-08 at 13:18 +0300, Slava Aseev wrote:
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello!
I recently tested the OSPF protocol implementation with AFL fuzzer and found some problem, that causes invalid memory read.
https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L463 The problem is that 'plen' may be less than 'hlen'. And if this happens, then 'blen' will wraps around:
if (ospf_is_v2(p) && (pkt->autype != OSPF_AUTH_CRYPT)) { uint hlen = sizeof(struct ospf_packet) + sizeof(union ospf_auth2); uint blen = plen - hlen; void *body = ((void *) pkt) + hlen;
if (!ipsum_verify(pkt, sizeof(struct ospf_packet), body, blen, NULL)) DROP("invalid checksum", ntohs(pkt->checksum)); } 'plen' declared here: https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L443
uint plen = ntohs(pkt->length); if ((plen < sizeof(struct ospf_packet)) || ((plen % 4) != 0)) DROP("invalid length", plen);
I had a similar issue, fixed in master by this commit https://gitlab.labs.nic.cz/labs/bird/-/commit/9f2670277cc0d56d3364d478434805... But this happened only with OSPF authentication.
On Mon, Jun 08, 2020 at 01:18:12PM +0300, Slava Aseev wrote:
Hello!
I recently tested the OSPF protocol implementation with AFL fuzzer and found some problem, that causes invalid memory read.
https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L463 The problem is that 'plen' may be less than 'hlen'. And if this happens, then 'blen' will wraps around:
Hello Thanks for the bugreport. Seems like when union ospf_auth2 was removed from struct ospf_packet, the invalid length check for plen was not properly updated. Will fix that. At first glance, it seems that it would not cause a crash, as in ipsum_verify() it would overflow back to a pointer before 'body' and access no memory instead of accessing all memory behind 'body'.
if (ospf_is_v2(p) && (pkt->autype != OSPF_AUTH_CRYPT)) { uint hlen = sizeof(struct ospf_packet) + sizeof(union ospf_auth2); uint blen = plen - hlen; void *body = ((void *) pkt) + hlen;
if (!ipsum_verify(pkt, sizeof(struct ospf_packet), body, blen, NULL)) DROP("invalid checksum", ntohs(pkt->checksum)); }
'plen' declared here: https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L443
uint plen = ntohs(pkt->length); if ((plen < sizeof(struct ospf_packet)) || ((plen % 4) != 0)) DROP("invalid length", plen);
-- Best regards, Slava Aseev
-- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Mon, 2020-06-08 at 16:34 +0200, Ondrej Zajicek wrote:
Hello
Thanks for the bugreport. Seems like when union ospf_auth2 was removed from struct ospf_packet, the invalid length check for plen was not properly updated. Will fix that.
Is this the fix that addresses the reported issue (82937b465b3a50bdcb00eff0b7aa6acb3fc21772)? https://gitlab.labs.nic.cz/labs/bird/-/commit/82937b465b3a50bdcb00eff0b7aa6a...
On Wed, Jun 10, 2020 at 11:59:54AM +0000, Kenth Eriksson wrote:
On Mon, 2020-06-08 at 16:34 +0200, Ondrej Zajicek wrote:
Hello
Thanks for the bugreport. Seems like when union ospf_auth2 was removed from struct ospf_packet, the invalid length check for plen was not properly updated. Will fix that.
Is this the fix that addresses the reported issue (82937b465b3a50bdcb00eff0b7aa6acb3fc21772)?
Yes -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (3)
-
Kenth Eriksson -
Ondrej Zajicek -
Slava Aseev