invalid memory read in proto/ospf/packet.c
Ondrej Zajicek
santiago at crfreenet.org
Mon Jun 8 16:34:57 CEST 2020
On Mon, Jun 08, 2020 at 01:18:12PM +0300, Slava Aseev wrote:
> Hello!
>
> I recently tested the OSPF protocol implementation with AFL fuzzer and found
> some problem, that causes invalid memory read.
>
> https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L463
> The problem is that 'plen' may be less than 'hlen'.
> And if this happens, then 'blen' will wraps around:
Hello
Thanks for the bugreport. Seems like when union ospf_auth2 was removed from
struct ospf_packet, the invalid length check for plen was not properly
updated. Will fix that.
At first glance, it seems that it would not cause a crash, as in
ipsum_verify() it would overflow back to a pointer before 'body'
and access no memory instead of accessing all memory behind 'body'.
>
> if (ospf_is_v2(p) && (pkt->autype != OSPF_AUTH_CRYPT))
> {
> uint hlen = sizeof(struct ospf_packet) + sizeof(union ospf_auth2);
> uint blen = plen - hlen;
> void *body = ((void *) pkt) + hlen;
>
> if (!ipsum_verify(pkt, sizeof(struct ospf_packet), body, blen, NULL))
> DROP("invalid checksum", ntohs(pkt->checksum));
> }
>
> 'plen' declared here:
> https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L443
>
> uint plen = ntohs(pkt->length);
> if ((plen < sizeof(struct ospf_packet)) || ((plen % 4) != 0))
> DROP("invalid length", plen);
>
> --
> Best regards,
> Slava Aseev
>
--
Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20200608/8cf81655/attachment.sig>
More information about the Bird-users
mailing list