--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/quagga/patches/12-cve-2013-0149.patch Fri Oct 25 14:37:51 2013 -0700
@@ -0,0 +1,67 @@
+This patch may be removed when Quagga is upgraded to at least
+version 0.99.22.4 or 0.99.23
+
+
+From 23cd8fb7133befdb84b3a918f7b2f6147161ac6e Mon Sep 17 00:00:00 2001
+From: David Lamparter <[email protected]>
+Date: Fri, 2 Aug 2013 07:27:53 +0000
+Subject: [PATCH] ospfd: protect vs. VU#229804 (malformed Router-LSA)
+
+VU#229804 reports that, by injecting Router LSAs with the Advertising
+Router ID different from the Link State ID, OSPF implementations can be
+tricked into retaining and using invalid information.
+
+Quagga is not vulnerable to this because it looks up Router LSAs by
+(Router-ID, LS-ID) pair. The relevant code is in ospf_lsa.c l.3140.
+Note the double "id" parameter at the end.
+
+Still, we can provide an improvement here by discarding such malformed
+LSAs and providing a warning to the administrator. While we cannot
+prevent such malformed LSAs from entering the OSPF domain, we can
+certainly try to limit their distribution.
+
+cf. http://www.kb.cert.org/vuls/id/229804 for the vulnerability report.
+This issue is a specification issue in the OSPF protocol that was
+discovered by Dr. Gabi Nakibly.
+
+Reported-by: CERT Coordination Center <[email protected]>
+Signed-off-by: David Lamparter <[email protected]>
+---
+ ospfd/ospf_packet.c | 21 +++++++++++++++++++++
+ 1 files changed, 21 insertions(+), 0 deletions(-)
+
+diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
+index 37223fb..ab68bf0 100644
+--- ospfd/ospf_packet.c
++++ ospfd/ospf_packet.c
+@@ -1823,6 +1823,27 @@ ospf_ls_upd (struct ip *iph, struct ospf_header *ospfh,
+ DISCARD_LSA (lsa,2);
+ }
+
++ /* VU229804: Router-LSA Adv-ID must be equal to LS-ID */
++ if (lsa->data->type == OSPF_ROUTER_LSA)
++ if (!IPV4_ADDR_SAME(&lsa->data->id, &lsa->data->adv_router))
++ {
++ char buf1[INET_ADDRSTRLEN];
++ char buf2[INET_ADDRSTRLEN];
++ char buf3[INET_ADDRSTRLEN];
++
++ zlog_err("Incoming Router-LSA from %s with "
++ "Adv-ID[%s] != LS-ID[%s]",
++ inet_ntop (AF_INET, &ospfh->router_id,
++ buf1, INET_ADDRSTRLEN),
++ inet_ntop (AF_INET, &lsa->data->id,
++ buf2, INET_ADDRSTRLEN),
++ inet_ntop (AF_INET, &lsa->data->adv_router,
++ buf3, INET_ADDRSTRLEN));
++ zlog_err("OSPF domain compromised by attack or corruption. "
++ "Verify correct operation of -ALL- OSPF routers.");
++ DISCARD_LSA (lsa, 0);
++ }
++
+ /* Find the LSA in the current database. */
+
+ current = ospf_lsa_lookup_by_header (oi->area, lsa->data);
+--
+1.7.2.5
+