|
1 This patch may be removed when Quagga is upgraded to at least |
|
2 version 0.99.22.4 or 0.99.23 |
|
3 |
|
4 |
|
5 From 23cd8fb7133befdb84b3a918f7b2f6147161ac6e Mon Sep 17 00:00:00 2001 |
|
6 From: David Lamparter <[email protected]> |
|
7 Date: Fri, 2 Aug 2013 07:27:53 +0000 |
|
8 Subject: [PATCH] ospfd: protect vs. VU#229804 (malformed Router-LSA) |
|
9 |
|
10 VU#229804 reports that, by injecting Router LSAs with the Advertising |
|
11 Router ID different from the Link State ID, OSPF implementations can be |
|
12 tricked into retaining and using invalid information. |
|
13 |
|
14 Quagga is not vulnerable to this because it looks up Router LSAs by |
|
15 (Router-ID, LS-ID) pair. The relevant code is in ospf_lsa.c l.3140. |
|
16 Note the double "id" parameter at the end. |
|
17 |
|
18 Still, we can provide an improvement here by discarding such malformed |
|
19 LSAs and providing a warning to the administrator. While we cannot |
|
20 prevent such malformed LSAs from entering the OSPF domain, we can |
|
21 certainly try to limit their distribution. |
|
22 |
|
23 cf. http://www.kb.cert.org/vuls/id/229804 for the vulnerability report. |
|
24 This issue is a specification issue in the OSPF protocol that was |
|
25 discovered by Dr. Gabi Nakibly. |
|
26 |
|
27 Reported-by: CERT Coordination Center <[email protected]> |
|
28 Signed-off-by: David Lamparter <[email protected]> |
|
29 --- |
|
30 ospfd/ospf_packet.c | 21 +++++++++++++++++++++ |
|
31 1 files changed, 21 insertions(+), 0 deletions(-) |
|
32 |
|
33 diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c |
|
34 index 37223fb..ab68bf0 100644 |
|
35 --- ospfd/ospf_packet.c |
|
36 +++ ospfd/ospf_packet.c |
|
37 @@ -1823,6 +1823,27 @@ ospf_ls_upd (struct ip *iph, struct ospf_header *ospfh, |
|
38 DISCARD_LSA (lsa,2); |
|
39 } |
|
40 |
|
41 + /* VU229804: Router-LSA Adv-ID must be equal to LS-ID */ |
|
42 + if (lsa->data->type == OSPF_ROUTER_LSA) |
|
43 + if (!IPV4_ADDR_SAME(&lsa->data->id, &lsa->data->adv_router)) |
|
44 + { |
|
45 + char buf1[INET_ADDRSTRLEN]; |
|
46 + char buf2[INET_ADDRSTRLEN]; |
|
47 + char buf3[INET_ADDRSTRLEN]; |
|
48 + |
|
49 + zlog_err("Incoming Router-LSA from %s with " |
|
50 + "Adv-ID[%s] != LS-ID[%s]", |
|
51 + inet_ntop (AF_INET, &ospfh->router_id, |
|
52 + buf1, INET_ADDRSTRLEN), |
|
53 + inet_ntop (AF_INET, &lsa->data->id, |
|
54 + buf2, INET_ADDRSTRLEN), |
|
55 + inet_ntop (AF_INET, &lsa->data->adv_router, |
|
56 + buf3, INET_ADDRSTRLEN)); |
|
57 + zlog_err("OSPF domain compromised by attack or corruption. " |
|
58 + "Verify correct operation of -ALL- OSPF routers."); |
|
59 + DISCARD_LSA (lsa, 0); |
|
60 + } |
|
61 + |
|
62 /* Find the LSA in the current database. */ |
|
63 |
|
64 current = ospf_lsa_lookup_by_header (oi->area, lsa->data); |
|
65 -- |
|
66 1.7.2.5 |
|
67 |