upstream/oracle/userland-gate: components/quagga/patches/14-cve-2013-2236.patch@94c0ca64c022 (annotated)

1598 3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	1	This patch may be removed once Quagga is updated to 0.99.22.2 or
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	2	later.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	3
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	4
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	5	From c51443f4aa6b7f0b0d6ad5409ad7d4b215092443 Mon Sep 17 00:00:00 2001
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	6	From: David Lamparter <[email protected]>
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	7	Date: Mon, 8 Jul 2013 23:05:28 +0200
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	8	Subject: [PATCH] ospfd: CVE-2013-2236, stack overrun in apiserver
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	9
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	10	the OSPF API-server (exporting the LSDB and allowing announcement of
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	11	Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	12	to an exploitable stack overflow.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	13
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	14	For this condition to occur, the following two conditions must be true:
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	15	- Quagga is configured with --enable-opaque-lsa
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	16	- ospfd is started with the "-a" command line option
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	17
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	18	If either of these does not hold, the relevant code is not executed and
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	19	the issue does not get triggered.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	20
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	21	Since the issue occurs on receiving large LSAs (larger than 1488 bytes),
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	22	it is possible for this to happen during normal operation of a network.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	23	In particular, if there is an OSPF router with a large number of
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	24	interfaces, the Router-LSA of that router may exceed 1488 bytes and
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	25	trigger this, leading to an ospfd crash.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	26
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	27	For an attacker to exploit this, s/he must be able to inject valid LSAs
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	28	into the OSPF domain. Any best-practice protection measure (using
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	29	crypto authentication, restricting OSPF to internal interfaces, packet
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	30	filtering protocol 89, etc.) will prevent exploitation. On top of that,
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	31	remote (not on an OSPF-speaking network segment) attackers will have
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	32	difficulties bringing up the adjacency needed to inject a LSA.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	33
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	34	This patch only performs minimal changes to remove the possibility of a
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	35	stack overrun. The OSPF API in general is quite ugly and needs a
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	36	rewrite.
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	37
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	38	Reported-by: Ricky Charlet <[email protected]>
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	39	Cc: Florian Weimer <[email protected]>
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	40	Signed-off-by: David Lamparter <[email protected]>
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	41	---
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	42	ospfd/ospf_api.c \| 25 ++++++++++++++++++-------
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	43	1 files changed, 19 insertions(+), 7 deletions(-)
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	44
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	45	--- ospfd/ospf_api.c
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	46	+++ ospfd/ospf_api.c
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	47	@@ -21,6 +21,7 @@
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	48	*/
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	49
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	50	#include <zebra.h>
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	51	+#include <stddef.h>
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	52
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	53	#ifdef SUPPORT_OSPF_API
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	54	#ifndef HAVE_OPAQUE_LSA
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	55	@@ -472,6 +473,9 @@ new_msg_register_event (u_int32_t seqnum
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	56	emsg->filter.typemask = htons (filter->typemask);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	57	emsg->filter.origin = filter->origin;
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	58	emsg->filter.num_areas = filter->num_areas;
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	59	+ if (len > sizeof (buf))
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	60	+ len = sizeof(buf);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	61	+ /* API broken - missing memcpy to fill data */
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	62	return msg_new (MSG_REGISTER_EVENT, emsg, seqnum, len);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	63	}
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	64
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	65	@@ -488,6 +492,9 @@ new_msg_sync_lsdb (u_int32_t seqnum, str
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	66	smsg->filter.typemask = htons (filter->typemask);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	67	smsg->filter.origin = filter->origin;
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	68	smsg->filter.num_areas = filter->num_areas;
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	69	+ if (len > sizeof (buf))
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	70	+ len = sizeof(buf);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	71	+ /* API broken - missing memcpy to fill data */
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	72	return msg_new (MSG_SYNC_LSDB, smsg, seqnum, len);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	73	}
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	74
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	75	@@ -501,13 +508,15 @@ new_msg_originate_request (u_int32_t seq
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	76	int omsglen;
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	77	char buf[OSPF_API_MAX_MSG_SIZE];
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	78
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	79	- omsglen = sizeof (struct msg_originate_request) - sizeof (struct lsa_header)
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	80	- + ntohs (data->length);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	81	-
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	82	omsg = (struct msg_originate_request *) buf;
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	83	omsg->ifaddr = ifaddr;
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	84	omsg->area_id = area_id;
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	85	- memcpy (&omsg->data, data, ntohs (data->length));
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	86	+
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	87	+ omsglen = ntohs (data->length);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	88	+ if (omsglen > sizeof (buf) - offsetof (struct msg_originate_request, data))
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	89	+ omsglen = sizeof (buf) - offsetof (struct msg_originate_request, data);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	90	+ memcpy (&omsg->data, data, omsglen);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	91	+ omsglen += sizeof (struct msg_originate_request) - sizeof (struct lsa_header);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	92
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	93	return msg_new (MSG_ORIGINATE_REQUEST, omsg, seqnum, omsglen);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	94	}
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	95	@@ -627,13 +636,16 @@ new_msg_lsa_change_notify (u_char msgtyp
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	96	assert (data);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	97
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	98	nmsg = (struct msg_lsa_change_notify *) buf;
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	99	- len = ntohs (data->length) + sizeof (struct msg_lsa_change_notify)
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	100	- - sizeof (struct lsa_header);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	101	nmsg->ifaddr = ifaddr;
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	102	nmsg->area_id = area_id;
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	103	nmsg->is_self_originated = is_self_originated;
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	104	memset (&nmsg->pad, 0, sizeof (nmsg->pad));
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	105	- memcpy (&nmsg->data, data, ntohs (data->length));
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	106	+
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	107	+ len = ntohs (data->length);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	108	+ if (len > sizeof (buf) - offsetof (struct msg_lsa_change_notify, data))
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	109	+ len = sizeof (buf) - offsetof (struct msg_lsa_change_notify, data);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	110	+ memcpy (&nmsg->data, data, len);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	111	+ len += sizeof (struct msg_lsa_change_notify) - sizeof (struct lsa_header);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	112
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	113	return msg_new (msgtype, nmsg, seqnum, len);
3223461a4c41 17658177 problem in SERVICE/QUAGGA Brian Utterback <brian.utterback@oracle.com> parents: diff changeset	114	}

author	Shawn Walker-Salas <shawn.walker@oracle.com>
	Wed, 30 Mar 2016 13:33:31 -0700
changeset 5682	94c0ca64c022
parent 1598	3223461a4c41
permissions	-rw-r--r--