Skip to content

Commit

Permalink
ospfd: protect call to get_edge() in ospf_te.c
Browse files Browse the repository at this point in the history
During fuzzing, Iggy Frankovic discovered that get_edge() function in ospf_te.c
could return null pointer, in particular when the link_id or advertised router
IP addresses are fuzzed. As the null pointer returned by get_edge() function is
not handlei by calling functions, this could cause ospfd crash.

This patch introduces new verification of returned pointer by get_edge()
function and stop the processing in case of null pointer. In addition, link ID
and advertiser router ID are validated before calling ls_find_edge_by_key() to
avoid the creation of a new edge with an invalid key.

CVE-2024-34088

Co-authored-by: Iggy Frankovic <[email protected]>
Signed-off-by: Olivier Dugeon <[email protected]>
(cherry picked from commit 8c177d6)

# Conflicts:
#	ospfd/ospf_te.c
  • Loading branch information
odd22 authored and mergify[bot] committed May 24, 2024
1 parent 649906d commit 5a2da3e
Showing 1 changed file with 20 additions and 0 deletions.
20 changes: 20 additions & 0 deletions ospfd/ospf_te.c
Original file line number Diff line number Diff line change
Expand Up @@ -1686,6 +1686,11 @@ static struct ls_edge *get_edge(struct ls_ted *ted, struct ls_node_id adv,
struct ls_edge *edge;
struct ls_attributes *attr;

/* Check that Link ID and Node ID are valid */
if (IPV4_NET0(link_id.s_addr) || IPV4_NET0(adv.id.ip.addr.s_addr) ||
adv.origin != OSPFv2)
return NULL;

/* Search Edge that corresponds to the Link ID */
key = ((uint64_t)ntohl(link_id.s_addr)) & 0xffffffff;
edge = ls_find_edge_by_key(ted, key);
Expand Down Expand Up @@ -1758,6 +1763,10 @@ static void ospf_te_update_link(struct ls_ted *ted, struct ls_vertex *vertex,

/* Get Corresponding Edge from Link State Data Base */
edge = get_edge(ted, vertex->node->adv, link_data);
if (!edge) {
ote_debug(" |- Found no edge from Link Data. Abort!");
return;
}
attr = edge->attributes;

/* re-attached edge to vertex if needed */
Expand Down Expand Up @@ -2277,6 +2286,13 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)

/* Get corresponding Edge from Link State Data Base */
edge = get_edge(ted, attr.adv, attr.standard.local);
<<<<<<< HEAD
=======
if (!edge) {
ote_debug(" |- Found no edge from Link local add./ID. Abort!");
return -1;
}
>>>>>>> 8c177d69e (ospfd: protect call to get_edge() in ospf_te.c)
old = edge->attributes;

ote_debug(" |- Process Traffic Engineering LSA %pI4 for Edge %pI4",
Expand Down Expand Up @@ -2782,6 +2798,10 @@ static int ospf_te_parse_ext_link(struct ls_ted *ted, struct ospf_lsa *lsa)
lnid.id.ip.area_id = lsa->area->area_id;
ext = (struct ext_tlv_link *)TLV_HDR_TOP(lsa->data);
edge = get_edge(ted, lnid, ext->link_data);
if (!edge) {
ote_debug(" |- Found no edge from Extended Link Data. Abort!");
return -1;
}
atr = edge->attributes;

ote_debug(" |- Process Extended Link LSA %pI4 for edge %pI4",
Expand Down

0 comments on commit 5a2da3e

Please sign in to comment.