author | Norm Jacobs <Norm.Jacobs@Oracle.COM> |
Thu, 11 Feb 2016 22:32:09 -0800 | |
changeset 5453 | 12788f3c6c43 |
parent 1598 | 3223461a4c41 |
permissions | -rw-r--r-- |
1598
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
1 |
This patch may be removed once Quagga is updated to 0.99.22.2 or |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
2 |
later. |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
3 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
4 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
5 |
From c51443f4aa6b7f0b0d6ad5409ad7d4b215092443 Mon Sep 17 00:00:00 2001 |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
6 |
From: David Lamparter <[email protected]> |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
7 |
Date: Mon, 8 Jul 2013 23:05:28 +0200 |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
8 |
Subject: [PATCH] ospfd: CVE-2013-2236, stack overrun in apiserver |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
9 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
10 |
the OSPF API-server (exporting the LSDB and allowing announcement of |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
11 |
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
12 |
to an exploitable stack overflow. |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
13 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
14 |
For this condition to occur, the following two conditions must be true: |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
15 |
- Quagga is configured with --enable-opaque-lsa |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
16 |
- ospfd is started with the "-a" command line option |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
17 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
18 |
If either of these does not hold, the relevant code is not executed and |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
19 |
the issue does not get triggered. |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
20 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
21 |
Since the issue occurs on receiving large LSAs (larger than 1488 bytes), |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
22 |
it is possible for this to happen during normal operation of a network. |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
23 |
In particular, if there is an OSPF router with a large number of |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
24 |
interfaces, the Router-LSA of that router may exceed 1488 bytes and |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
25 |
trigger this, leading to an ospfd crash. |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
26 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
27 |
For an attacker to exploit this, s/he must be able to inject valid LSAs |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
28 |
into the OSPF domain. Any best-practice protection measure (using |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
29 |
crypto authentication, restricting OSPF to internal interfaces, packet |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
30 |
filtering protocol 89, etc.) will prevent exploitation. On top of that, |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
31 |
remote (not on an OSPF-speaking network segment) attackers will have |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
32 |
difficulties bringing up the adjacency needed to inject a LSA. |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
33 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
34 |
This patch only performs minimal changes to remove the possibility of a |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
35 |
stack overrun. The OSPF API in general is quite ugly and needs a |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
36 |
rewrite. |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
37 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
38 |
Reported-by: Ricky Charlet <[email protected]> |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
39 |
Cc: Florian Weimer <[email protected]> |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
40 |
Signed-off-by: David Lamparter <[email protected]> |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
41 |
--- |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
42 |
ospfd/ospf_api.c | 25 ++++++++++++++++++------- |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
43 |
1 files changed, 19 insertions(+), 7 deletions(-) |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
44 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
45 |
--- ospfd/ospf_api.c |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
46 |
+++ ospfd/ospf_api.c |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
47 |
@@ -21,6 +21,7 @@ |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
48 |
*/ |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
49 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
50 |
#include <zebra.h> |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
51 |
+#include <stddef.h> |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
52 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
53 |
#ifdef SUPPORT_OSPF_API |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
54 |
#ifndef HAVE_OPAQUE_LSA |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
55 |
@@ -472,6 +473,9 @@ new_msg_register_event (u_int32_t seqnum |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
56 |
emsg->filter.typemask = htons (filter->typemask); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
57 |
emsg->filter.origin = filter->origin; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
58 |
emsg->filter.num_areas = filter->num_areas; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
59 |
+ if (len > sizeof (buf)) |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
60 |
+ len = sizeof(buf); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
61 |
+ /* API broken - missing memcpy to fill data */ |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
62 |
return msg_new (MSG_REGISTER_EVENT, emsg, seqnum, len); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
63 |
} |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
64 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
65 |
@@ -488,6 +492,9 @@ new_msg_sync_lsdb (u_int32_t seqnum, str |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
66 |
smsg->filter.typemask = htons (filter->typemask); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
67 |
smsg->filter.origin = filter->origin; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
68 |
smsg->filter.num_areas = filter->num_areas; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
69 |
+ if (len > sizeof (buf)) |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
70 |
+ len = sizeof(buf); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
71 |
+ /* API broken - missing memcpy to fill data */ |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
72 |
return msg_new (MSG_SYNC_LSDB, smsg, seqnum, len); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
73 |
} |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
74 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
75 |
@@ -501,13 +508,15 @@ new_msg_originate_request (u_int32_t seq |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
76 |
int omsglen; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
77 |
char buf[OSPF_API_MAX_MSG_SIZE]; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
78 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
79 |
- omsglen = sizeof (struct msg_originate_request) - sizeof (struct lsa_header) |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
80 |
- + ntohs (data->length); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
81 |
- |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
82 |
omsg = (struct msg_originate_request *) buf; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
83 |
omsg->ifaddr = ifaddr; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
84 |
omsg->area_id = area_id; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
85 |
- memcpy (&omsg->data, data, ntohs (data->length)); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
86 |
+ |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
87 |
+ omsglen = ntohs (data->length); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
88 |
+ if (omsglen > sizeof (buf) - offsetof (struct msg_originate_request, data)) |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
89 |
+ omsglen = sizeof (buf) - offsetof (struct msg_originate_request, data); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
90 |
+ memcpy (&omsg->data, data, omsglen); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
91 |
+ omsglen += sizeof (struct msg_originate_request) - sizeof (struct lsa_header); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
92 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
93 |
return msg_new (MSG_ORIGINATE_REQUEST, omsg, seqnum, omsglen); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
94 |
} |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
95 |
@@ -627,13 +636,16 @@ new_msg_lsa_change_notify (u_char msgtyp |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
96 |
assert (data); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
97 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
98 |
nmsg = (struct msg_lsa_change_notify *) buf; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
99 |
- len = ntohs (data->length) + sizeof (struct msg_lsa_change_notify) |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
100 |
- - sizeof (struct lsa_header); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
101 |
nmsg->ifaddr = ifaddr; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
102 |
nmsg->area_id = area_id; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
103 |
nmsg->is_self_originated = is_self_originated; |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
104 |
memset (&nmsg->pad, 0, sizeof (nmsg->pad)); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
105 |
- memcpy (&nmsg->data, data, ntohs (data->length)); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
106 |
+ |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
107 |
+ len = ntohs (data->length); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
108 |
+ if (len > sizeof (buf) - offsetof (struct msg_lsa_change_notify, data)) |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
109 |
+ len = sizeof (buf) - offsetof (struct msg_lsa_change_notify, data); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
110 |
+ memcpy (&nmsg->data, data, len); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
111 |
+ len += sizeof (struct msg_lsa_change_notify) - sizeof (struct lsa_header); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
112 |
|
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
113 |
return msg_new (msgtype, nmsg, seqnum, len); |
3223461a4c41
17658177 problem in SERVICE/QUAGGA
Brian Utterback <brian.utterback@oracle.com>
parents:
diff
changeset
|
114 |
} |