Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/quagga/patches/12-cve-2013-0149.patch
author Brian Utterback <brian.utterback@oracle.com>
Fri, 25 Oct 2013 14:37:51 -0700
branchs11u1-sru
changeset 2952 e67c9321ec34
permissions -rw-r--r--
17658177 problem in SERVICE/QUAGGA 17658165 mitigate CVE-2013-0149 in quagga

This patch may be removed when Quagga is upgraded to at least 
version 0.99.22.4 or 0.99.23


From 23cd8fb7133befdb84b3a918f7b2f6147161ac6e Mon Sep 17 00:00:00 2001
From: David Lamparter <[email protected]>
Date: Fri, 2 Aug 2013 07:27:53 +0000
Subject: [PATCH] ospfd: protect vs. VU#229804 (malformed Router-LSA)

VU#229804 reports that, by injecting Router LSAs with the Advertising
Router ID different from the Link State ID, OSPF implementations can be
tricked into retaining and using invalid information.

Quagga is not vulnerable to this because it looks up Router LSAs by
(Router-ID, LS-ID) pair.  The relevant code is in ospf_lsa.c l.3140.
Note the double "id" parameter at the end.

Still, we can provide an improvement here by discarding such malformed
LSAs and providing a warning to the administrator.  While we cannot
prevent such malformed LSAs from entering the OSPF domain, we can
certainly try to limit their distribution.

cf. http://www.kb.cert.org/vuls/id/229804 for the vulnerability report.
This issue is a specification issue in the OSPF protocol that was
discovered by Dr. Gabi Nakibly.

Reported-by: CERT Coordination Center <[email protected]>
Signed-off-by: David Lamparter <[email protected]>
---
 ospfd/ospf_packet.c |   21 +++++++++++++++++++++
 1 files changed, 21 insertions(+), 0 deletions(-)

diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
index 37223fb..ab68bf0 100644
--- ospfd/ospf_packet.c
+++ ospfd/ospf_packet.c
@@ -1823,6 +1823,27 @@ ospf_ls_upd (struct ip *iph, struct ospf_header *ospfh,
 	    DISCARD_LSA (lsa,2);
 	  }
 
+      /* VU229804: Router-LSA Adv-ID must be equal to LS-ID */
+      if (lsa->data->type == OSPF_ROUTER_LSA)
+	if (!IPV4_ADDR_SAME(&lsa->data->id, &lsa->data->adv_router))
+	  {
+	    char buf1[INET_ADDRSTRLEN];
+	    char buf2[INET_ADDRSTRLEN];
+	    char buf3[INET_ADDRSTRLEN];
+
+	    zlog_err("Incoming Router-LSA from %s with "
+		      "Adv-ID[%s] != LS-ID[%s]",
+		      inet_ntop (AF_INET, &ospfh->router_id,
+				 buf1, INET_ADDRSTRLEN),
+		      inet_ntop (AF_INET, &lsa->data->id,
+				 buf2, INET_ADDRSTRLEN),
+		      inet_ntop (AF_INET, &lsa->data->adv_router,
+				 buf3, INET_ADDRSTRLEN));
+	    zlog_err("OSPF domain compromised by attack or corruption. "
+		     "Verify correct operation of -ALL- OSPF routers.");
+	    DISCARD_LSA (lsa, 0);
+	  }
+
       /* Find the LSA in the current database. */
 
       current = ospf_lsa_lookup_by_header (oi->area, lsa->data);
-- 
1.7.2.5
upstream/oracle/userland-gate