Skip to content

Commit

Permalink
ospfd: Solved crash in OSPF TE parsing
Browse files Browse the repository at this point in the history
Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA
packets. The crash occurs in ospf_te_parse_te() function when attemping to
create corresponding egde from TE Link parameters. If there is no local
address, an edge is created but without any attributes. During parsing, the
function try to access to this attribute fields which has not been created
causing an ospfd crash.

The patch simply check if the te parser has found a valid local address. If not
found, we stop the parser which avoid the crash.

Signed-off-by: Olivier Dugeon <[email protected]>
(cherry picked from commit a73e66d)
  • Loading branch information
odd22 authored and mergify[bot] committed Feb 27, 2024
1 parent 8b02d3e commit 9bc0060
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions ospfd/ospf_te.c
Original file line number Diff line number Diff line change
Expand Up @@ -2245,6 +2245,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
}

/* Get corresponding Edge from Link State Data Base */
if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
ote_debug(" |- Found no TE Link local address/ID. Abort!");
return -1;
}
edge = get_edge(ted, attr.adv, attr.standard.local);
old = edge->attributes;

Expand Down

0 comments on commit 9bc0060

Please sign in to comment.