diff options
author | Yue Tao <Yue.Tao@windriver.com> | 2014-07-28 04:15:03 -0400 |
---|---|---|
committer | Joe MacDonald <joe_macdonald@mentor.com> | 2014-08-05 16:23:58 -0400 |
commit | 71bb2dc7c3cbb41e3a566510d3ea20cb42eebb21 (patch) | |
tree | bce3d564bc6e2c3df404850b763df1b35c9c0647 /meta-networking | |
parent | 18bea207810b73828451a60f2d647c91f83d1883 (diff) | |
download | meta-openembedded-71bb2dc7c3cbb41e3a566510d3ea20cb42eebb21.tar.gz |
quagga: Security Advisory - quagga - CVE-2013-2236
Stack-based buffer overflow in the new_msg_lsa_change_notify function in
the OSPFD API (ospf_api.c) in Quagga before 0.99.22.2, when
--enable-opaque-lsa and the -a command line option are used, allows
remote attackers to cause a denial of service (crash) via a large LSA.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2236
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-networking')
-rw-r--r-- | meta-networking/recipes-protocols/quagga/files/0001-ospfd-CVE-2013-2236-stack-overrun-in-apiserver.patch | 106 | ||||
-rw-r--r-- | meta-networking/recipes-protocols/quagga/quagga_0.99.21.bb | 1 |
2 files changed, 107 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/quagga/files/0001-ospfd-CVE-2013-2236-stack-overrun-in-apiserver.patch b/meta-networking/recipes-protocols/quagga/files/0001-ospfd-CVE-2013-2236-stack-overrun-in-apiserver.patch new file mode 100644 index 000000000..30b05c262 --- /dev/null +++ b/meta-networking/recipes-protocols/quagga/files/0001-ospfd-CVE-2013-2236-stack-overrun-in-apiserver.patch | |||
@@ -0,0 +1,106 @@ | |||
1 | Subject: [PATCH] ospfd: CVE-2013-2236, stack overrun in apiserver | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | the OSPF API-server (exporting the LSDB and allowing announcement of | ||
6 | Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads | ||
7 | to an exploitable stack overflow. | ||
8 | |||
9 | For this condition to occur, the following two conditions must be true: | ||
10 | - Quagga is configured with --enable-opaque-lsa | ||
11 | - ospfd is started with the "-a" command line option | ||
12 | |||
13 | If either of these does not hold, the relevant code is not executed and | ||
14 | the issue does not get triggered. | ||
15 | |||
16 | Since the issue occurs on receiving large LSAs (larger than 1488 bytes), | ||
17 | it is possible for this to happen during normal operation of a network. | ||
18 | In particular, if there is an OSPF router with a large number of | ||
19 | interfaces, the Router-LSA of that router may exceed 1488 bytes and | ||
20 | trigger this, leading to an ospfd crash. | ||
21 | |||
22 | For an attacker to exploit this, s/he must be able to inject valid LSAs | ||
23 | into the OSPF domain. Any best-practice protection measure (using | ||
24 | crypto authentication, restricting OSPF to internal interfaces, packet | ||
25 | filtering protocol 89, etc.) will prevent exploitation. On top of that, | ||
26 | remote (not on an OSPF-speaking network segment) attackers will have | ||
27 | difficulties bringing up the adjacency needed to inject a LSA. | ||
28 | |||
29 | This patch only performs minimal changes to remove the possibility of a | ||
30 | stack overrun. The OSPF API in general is quite ugly and needs a | ||
31 | rewrite. | ||
32 | |||
33 | Reported-by: Ricky Charlet <ricky.charlet@hp.com> | ||
34 | Cc: Florian Weimer <fweimer@redhat.com> | ||
35 | Signed-off-by: David Lamparter <equinox@opensourcerouting.org> | ||
36 | --- | ||
37 | ospfd/ospf_api.c | 25 ++++++++++++++++++------- | ||
38 | 1 files changed, 18 insertions(+), 7 deletions(-) | ||
39 | |||
40 | diff --git a/ospfd/ospf_api.c b/ospfd/ospf_api.c | ||
41 | index 74a49e3..fae942e 100644 | ||
42 | --- a/ospfd/ospf_api.c | ||
43 | +++ b/ospfd/ospf_api.c | ||
44 | @@ -472,6 +472,9 @@ new_msg_register_event (u_int32_t seqnum, struct lsa_filter_type *filter) | ||
45 | emsg->filter.typemask = htons (filter->typemask); | ||
46 | emsg->filter.origin = filter->origin; | ||
47 | emsg->filter.num_areas = filter->num_areas; | ||
48 | + if (len > sizeof (buf)) | ||
49 | + len = sizeof(buf); | ||
50 | + /* API broken - missing memcpy to fill data */ | ||
51 | return msg_new (MSG_REGISTER_EVENT, emsg, seqnum, len); | ||
52 | } | ||
53 | |||
54 | @@ -488,6 +491,9 @@ new_msg_sync_lsdb (u_int32_t seqnum, struct lsa_filter_type *filter) | ||
55 | smsg->filter.typemask = htons (filter->typemask); | ||
56 | smsg->filter.origin = filter->origin; | ||
57 | smsg->filter.num_areas = filter->num_areas; | ||
58 | + if (len > sizeof (buf)) | ||
59 | + len = sizeof(buf); | ||
60 | + /* API broken - missing memcpy to fill data */ | ||
61 | return msg_new (MSG_SYNC_LSDB, smsg, seqnum, len); | ||
62 | } | ||
63 | |||
64 | @@ -501,13 +507,15 @@ new_msg_originate_request (u_int32_t seqnum, | ||
65 | int omsglen; | ||
66 | char buf[OSPF_API_MAX_MSG_SIZE]; | ||
67 | |||
68 | - omsglen = sizeof (struct msg_originate_request) - sizeof (struct lsa_header) | ||
69 | - + ntohs (data->length); | ||
70 | - | ||
71 | omsg = (struct msg_originate_request *) buf; | ||
72 | omsg->ifaddr = ifaddr; | ||
73 | omsg->area_id = area_id; | ||
74 | - memcpy (&omsg->data, data, ntohs (data->length)); | ||
75 | + | ||
76 | + omsglen = ntohs (data->length); | ||
77 | + if (omsglen > sizeof (buf) - offsetof (struct msg_originate_request, data)) | ||
78 | + omsglen = sizeof (buf) - offsetof (struct msg_originate_request, data); | ||
79 | + memcpy (&omsg->data, data, omsglen); | ||
80 | + omsglen += sizeof (struct msg_originate_request) - sizeof (struct lsa_header); | ||
81 | |||
82 | return msg_new (MSG_ORIGINATE_REQUEST, omsg, seqnum, omsglen); | ||
83 | } | ||
84 | @@ -627,13 +635,16 @@ new_msg_lsa_change_notify (u_char msgtype, | ||
85 | assert (data); | ||
86 | |||
87 | nmsg = (struct msg_lsa_change_notify *) buf; | ||
88 | - len = ntohs (data->length) + sizeof (struct msg_lsa_change_notify) | ||
89 | - - sizeof (struct lsa_header); | ||
90 | nmsg->ifaddr = ifaddr; | ||
91 | nmsg->area_id = area_id; | ||
92 | nmsg->is_self_originated = is_self_originated; | ||
93 | memset (&nmsg->pad, 0, sizeof (nmsg->pad)); | ||
94 | - memcpy (&nmsg->data, data, ntohs (data->length)); | ||
95 | + | ||
96 | + len = ntohs (data->length); | ||
97 | + if (len > sizeof (buf) - offsetof (struct msg_lsa_change_notify, data)) | ||
98 | + len = sizeof (buf) - offsetof (struct msg_lsa_change_notify, data); | ||
99 | + memcpy (&nmsg->data, data, len); | ||
100 | + len += sizeof (struct msg_lsa_change_notify) - sizeof (struct lsa_header); | ||
101 | |||
102 | return msg_new (msgtype, nmsg, seqnum, len); | ||
103 | } | ||
104 | -- | ||
105 | 1.7.5.4 | ||
106 | |||
diff --git a/meta-networking/recipes-protocols/quagga/quagga_0.99.21.bb b/meta-networking/recipes-protocols/quagga/quagga_0.99.21.bb index 0988b70eb..596d70339 100644 --- a/meta-networking/recipes-protocols/quagga/quagga_0.99.21.bb +++ b/meta-networking/recipes-protocols/quagga/quagga_0.99.21.bb | |||
@@ -7,6 +7,7 @@ SRC_URI += "file://0001-doc-fix-makeinfo-errors-and-one-warning.patch \ | |||
7 | file://build-fix-extract.pl-for-cross-compilation.patch \ | 7 | file://build-fix-extract.pl-for-cross-compilation.patch \ |
8 | file://babel-close-the-stdout-stderr-as-in-other-daemons.patch \ | 8 | file://babel-close-the-stdout-stderr-as-in-other-daemons.patch \ |
9 | file://work-with-new-readline.patch \ | 9 | file://work-with-new-readline.patch \ |
10 | file://0001-ospfd-CVE-2013-2236-stack-overrun-in-apiserver.patch \ | ||
10 | " | 11 | " |
11 | 12 | ||
12 | SRC_URI[quagga-0.99.21.md5sum] = "99840adbe57047c90dfba6b6ed9aec7f" | 13 | SRC_URI[quagga-0.99.21.md5sum] = "99840adbe57047c90dfba6b6ed9aec7f" |