upstream/oracle/userland-gate: components/quagga/patches/12-cve-2013-0149.patch@3223461a4c41 (annotated)

1598 3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	1	This patch may be removed when Quagga is upgraded to at least
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	2	version 0.99.22.4 or 0.99.23
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	3
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	4
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	5	From 23cd8fb7133befdb84b3a918f7b2f6147161ac6e Mon Sep 17 00:00:00 2001
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	6	From: David Lamparter <[email protected]>
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	7	Date: Fri, 2 Aug 2013 07:27:53 +0000
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	8	Subject: [PATCH] ospfd: protect vs. VU#229804 (malformed Router-LSA)
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	9
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	10	VU#229804 reports that, by injecting Router LSAs with the Advertising
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	11	Router ID different from the Link State ID, OSPF implementations can be
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	12	tricked into retaining and using invalid information.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	13
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	14	Quagga is not vulnerable to this because it looks up Router LSAs by
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	15	(Router-ID, LS-ID) pair. The relevant code is in ospf_lsa.c l.3140.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	16	Note the double "id" parameter at the end.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	17
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	18	Still, we can provide an improvement here by discarding such malformed
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	19	LSAs and providing a warning to the administrator. While we cannot
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	20	prevent such malformed LSAs from entering the OSPF domain, we can
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	21	certainly try to limit their distribution.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	22
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	23	cf. http://www.kb.cert.org/vuls/id/229804 for the vulnerability report.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	24	This issue is a specification issue in the OSPF protocol that was
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	25	discovered by Dr. Gabi Nakibly.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	26
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	27	Reported-by: CERT Coordination Center <[email protected]>
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	28	Signed-off-by: David Lamparter <[email protected]>
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	29	---
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	30	ospfd/ospf_packet.c \| 21 +++++++++++++++++++++
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	31	1 files changed, 21 insertions(+), 0 deletions(-)
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	32
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	33	diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	34	index 37223fb..ab68bf0 100644
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	35	--- ospfd/ospf_packet.c
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	36	+++ ospfd/ospf_packet.c
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	37	@@ -1823,6 +1823,27 @@ ospf_ls_upd (struct ip iph, struct ospf_header ospfh,
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	38	DISCARD_LSA (lsa,2);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	39	}
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	40
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	41	+ /* VU229804: Router-LSA Adv-ID must be equal to LS-ID */
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	42	+ if (lsa->data->type == OSPF_ROUTER_LSA)
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	43	+ if (!IPV4_ADDR_SAME(&lsa->data->id, &lsa->data->adv_router))
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	44	+ {
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	45	+ char buf1[INET_ADDRSTRLEN];
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	46	+ char buf2[INET_ADDRSTRLEN];
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	47	+ char buf3[INET_ADDRSTRLEN];
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	48	+
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	49	+ zlog_err("Incoming Router-LSA from %s with "
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	50	+ "Adv-ID[%s] != LS-ID[%s]",
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	51	+ inet_ntop (AF_INET, &ospfh->router_id,
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	52	+ buf1, INET_ADDRSTRLEN),
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	53	+ inet_ntop (AF_INET, &lsa->data->id,
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	54	+ buf2, INET_ADDRSTRLEN),
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	55	+ inet_ntop (AF_INET, &lsa->data->adv_router,
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	56	+ buf3, INET_ADDRSTRLEN));
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	57	+ zlog_err("OSPF domain compromised by attack or corruption. "
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	58	+ "Verify correct operation of -ALL- OSPF routers.");
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	59	+ DISCARD_LSA (lsa, 0);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	60	+ }
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	61	+
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	62	/* Find the LSA in the current database. */
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	63
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	64	current = ospf_lsa_lookup_by_header (oi->area, lsa->data);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	65	--
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	66	1.7.2.5
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	67

author	Brian Utterback <brian.utterback@oracle.com>
	Fri, 25 Oct 2013 14:37:51 -0700
changeset 1598	3223461a4c41
permissions	-rw-r--r--