invalid memory read in proto/ospf/packet.c

Slava Aseev nullptrnine at basealt.ru
Mon Jun 8 12:18:12 CEST 2020


Hello!

I recently tested the OSPF protocol implementation with AFL fuzzer and 
found some problem, that causes invalid memory read.

https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L463
The problem is that 'plen' may be less than 'hlen'.
And if this happens, then 'blen' will wraps around:

if (ospf_is_v2(p) && (pkt->autype != OSPF_AUTH_CRYPT))
{
uint hlen = sizeof(struct ospf_packet) + sizeof(union ospf_auth2);
uint blen = plen - hlen;
void *body = ((void *) pkt) + hlen;

if (!ipsum_verify(pkt, sizeof(struct ospf_packet), body, blen, NULL))
DROP("invalid checksum", ntohs(pkt->checksum));
}

'plen' declared here: 
https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L443

uint plen = ntohs(pkt->length);
if ((plen < sizeof(struct ospf_packet)) || ((plen % 4) != 0))
DROP("invalid length", plen);

-- 
Best regards,
Slava Aseev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20200608/60a995f9/attachment.htm>


More information about the Bird-users mailing list