Missing checking the lsa_length in ospf

Ondrej Zajicek santiago at crfreenet.org
Wed May 3 04:41:56 CEST 2023


On Mon, Apr 24, 2023 at 03:51:22PM -0400, Mingwei Zheng wrote:
> Hi,
> 
> I am doing testing work on network protocols and here is one possible issue I noticed in OSPF.
> 
> I noticed that you have checked the length of lsa in your function ospf_dump_lsupd in lsupd.c <https://gitlab.nic.cz/labs/bird/-/blob/master/proto/ospf/lsupd.c>:
> 
>    if (((lsa_len % 4) != 0) || (lsa_len <= sizeof(struct ospf_lsa_header)))
>       goto invalid;
> However in the other packet types, like LSACK and LSREQ, I didn’t see similar checking. I am worrying about whether this would be an issue.
> I would really appreciate it if anyone can have a look at it. Thank you!

Hi

LSACK and LSREQ handle just fixed-size LSA headers, not full LSAs, so
there is no reason for lsa_len checks.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."



More information about the Bird-users mailing list