upstream/oracle/userland-gate: components/quagga/patches/14-cve-2013-2236.patch@83313d4990a4 (annotated)

2951 83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	1	This patch may be removed once Quagga is updated to 0.99.22.2 or
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	2	later.
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	3
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	4
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	5	From c51443f4aa6b7f0b0d6ad5409ad7d4b215092443 Mon Sep 17 00:00:00 2001
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	6	From: David Lamparter <[email protected]>
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	7	Date: Mon, 8 Jul 2013 23:05:28 +0200
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	8	Subject: [PATCH] ospfd: CVE-2013-2236, stack overrun in apiserver
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	9
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	10	the OSPF API-server (exporting the LSDB and allowing announcement of
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	11	Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	12	to an exploitable stack overflow.
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	13
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	14	For this condition to occur, the following two conditions must be true:
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	15	- Quagga is configured with --enable-opaque-lsa
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	16	- ospfd is started with the "-a" command line option
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	17
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	18	If either of these does not hold, the relevant code is not executed and
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	19	the issue does not get triggered.
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	20
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	21	Since the issue occurs on receiving large LSAs (larger than 1488 bytes),
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	22	it is possible for this to happen during normal operation of a network.
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	23	In particular, if there is an OSPF router with a large number of
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	24	interfaces, the Router-LSA of that router may exceed 1488 bytes and
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	25	trigger this, leading to an ospfd crash.
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	26
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	27	For an attacker to exploit this, s/he must be able to inject valid LSAs
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	28	into the OSPF domain. Any best-practice protection measure (using
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	29	crypto authentication, restricting OSPF to internal interfaces, packet
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	30	filtering protocol 89, etc.) will prevent exploitation. On top of that,
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	31	remote (not on an OSPF-speaking network segment) attackers will have
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	32	difficulties bringing up the adjacency needed to inject a LSA.
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	33
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	34	This patch only performs minimal changes to remove the possibility of a
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	35	stack overrun. The OSPF API in general is quite ugly and needs a
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	36	rewrite.
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	37
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	38	Reported-by: Ricky Charlet <[email protected]>
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	39	Cc: Florian Weimer <[email protected]>
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	40	Signed-off-by: David Lamparter <[email protected]>
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	41	---
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	42	ospfd/ospf_api.c \| 25 ++++++++++++++++++-------
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	43	1 files changed, 19 insertions(+), 7 deletions(-)
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	44
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	45	--- ospfd/ospf_api.c
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	46	+++ ospfd/ospf_api.c
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	47	@@ -21,6 +21,7 @@
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	48	*/
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	49
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	50	#include <zebra.h>
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	51	+#include <stddef.h>
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	52
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	53	#ifdef SUPPORT_OSPF_API
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	54	#ifndef HAVE_OPAQUE_LSA
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	55	@@ -472,6 +473,9 @@ new_msg_register_event (u_int32_t seqnum
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	56	emsg->filter.typemask = htons (filter->typemask);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	57	emsg->filter.origin = filter->origin;
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	58	emsg->filter.num_areas = filter->num_areas;
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	59	+ if (len > sizeof (buf))
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	60	+ len = sizeof(buf);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	61	+ /* API broken - missing memcpy to fill data */
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	62	return msg_new (MSG_REGISTER_EVENT, emsg, seqnum, len);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	63	}
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	64
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	65	@@ -488,6 +492,9 @@ new_msg_sync_lsdb (u_int32_t seqnum, str
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	66	smsg->filter.typemask = htons (filter->typemask);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	67	smsg->filter.origin = filter->origin;
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	68	smsg->filter.num_areas = filter->num_areas;
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	69	+ if (len > sizeof (buf))
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	70	+ len = sizeof(buf);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	71	+ /* API broken - missing memcpy to fill data */
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	72	return msg_new (MSG_SYNC_LSDB, smsg, seqnum, len);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	73	}
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	74
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	75	@@ -501,13 +508,15 @@ new_msg_originate_request (u_int32_t seq
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	76	int omsglen;
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	77	char buf[OSPF_API_MAX_MSG_SIZE];
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	78
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	79	- omsglen = sizeof (struct msg_originate_request) - sizeof (struct lsa_header)
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	80	- + ntohs (data->length);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	81	-
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	82	omsg = (struct msg_originate_request *) buf;
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	83	omsg->ifaddr = ifaddr;
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	84	omsg->area_id = area_id;
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	85	- memcpy (&omsg->data, data, ntohs (data->length));
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	86	+
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	87	+ omsglen = ntohs (data->length);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	88	+ if (omsglen > sizeof (buf) - offsetof (struct msg_originate_request, data))
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	89	+ omsglen = sizeof (buf) - offsetof (struct msg_originate_request, data);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	90	+ memcpy (&omsg->data, data, omsglen);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	91	+ omsglen += sizeof (struct msg_originate_request) - sizeof (struct lsa_header);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	92
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	93	return msg_new (MSG_ORIGINATE_REQUEST, omsg, seqnum, omsglen);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	94	}
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	95	@@ -627,13 +636,16 @@ new_msg_lsa_change_notify (u_char msgtyp
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	96	assert (data);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	97
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	98	nmsg = (struct msg_lsa_change_notify *) buf;
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	99	- len = ntohs (data->length) + sizeof (struct msg_lsa_change_notify)
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	100	- - sizeof (struct lsa_header);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	101	nmsg->ifaddr = ifaddr;
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	102	nmsg->area_id = area_id;
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	103	nmsg->is_self_originated = is_self_originated;
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	104	memset (&nmsg->pad, 0, sizeof (nmsg->pad));
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	105	- memcpy (&nmsg->data, data, ntohs (data->length));
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	106	+
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	107	+ len = ntohs (data->length);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	108	+ if (len > sizeof (buf) - offsetof (struct msg_lsa_change_notify, data))
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	109	+ len = sizeof (buf) - offsetof (struct msg_lsa_change_notify, data);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	110	+ memcpy (&nmsg->data, data, len);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	111	+ len += sizeof (struct msg_lsa_change_notify) - sizeof (struct lsa_header);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	112
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	113	return msg_new (msgtype, nmsg, seqnum, len);
83313d4990a4 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	114	}

author	Brian Utterback <brian.utterback@oracle.com>
	Fri, 25 Oct 2013 14:37:51 -0700
branch	s11-update
changeset 2951	83313d4990a4
permissions	-rw-r--r--