2023-02-08 13:17:09 +01:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2003-03-17 02:10:58 +01:00
|
|
|
/*
|
|
|
|
|
* API message handling module for OSPF daemon and client.
|
|
|
|
|
* Copyright (C) 2001, 2002 Ralph Keller
|
2022-06-23 00:10:13 +02:00
|
|
|
* Copyright (c) 2022, LabN Consulting, L.L.C.
|
2003-03-17 02:10:58 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <zebra.h>
|
|
|
|
|
|
|
|
|
|
#ifdef SUPPORT_OSPF_API
|
|
|
|
|
|
|
|
|
|
#include "linklist.h"
|
|
|
|
|
#include "prefix.h"
|
|
|
|
|
#include "if.h"
|
|
|
|
|
#include "table.h"
|
|
|
|
|
#include "memory.h"
|
|
|
|
|
#include "command.h"
|
|
|
|
|
#include "vty.h"
|
|
|
|
|
#include "stream.h"
|
|
|
|
|
#include "log.h"
|
|
|
|
|
#include "thread.h"
|
|
|
|
|
#include "hash.h"
|
|
|
|
|
#include "sockunion.h" /* for inet_aton() */
|
|
|
|
|
#include "buffer.h"
|
|
|
|
|
#include "network.h"
|
|
|
|
|
|
|
|
|
|
#include "ospfd/ospfd.h"
|
|
|
|
|
#include "ospfd/ospf_interface.h"
|
|
|
|
|
#include "ospfd/ospf_ism.h"
|
|
|
|
|
#include "ospfd/ospf_asbr.h"
|
|
|
|
|
#include "ospfd/ospf_lsa.h"
|
|
|
|
|
#include "ospfd/ospf_lsdb.h"
|
|
|
|
|
#include "ospfd/ospf_neighbor.h"
|
|
|
|
|
#include "ospfd/ospf_nsm.h"
|
|
|
|
|
#include "ospfd/ospf_flood.h"
|
|
|
|
|
#include "ospfd/ospf_packet.h"
|
|
|
|
|
#include "ospfd/ospf_spf.h"
|
|
|
|
|
#include "ospfd/ospf_dump.h"
|
|
|
|
|
#include "ospfd/ospf_route.h"
|
|
|
|
|
#include "ospfd/ospf_ase.h"
|
|
|
|
|
#include "ospfd/ospf_zebra.h"
|
|
|
|
|
|
|
|
|
|
#include "ospfd/ospf_api.h"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* For debugging only, will be removed */
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
void api_opaque_lsa_print(struct ospf_lsa *lsa)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
|
|
|
|
struct opaque_lsa {
|
|
|
|
|
struct lsa_header header;
|
2018-03-27 21:13:34 +02:00
|
|
|
uint8_t mydata[];
|
2003-03-17 02:10:58 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct opaque_lsa *olsa;
|
|
|
|
|
int opaquelen;
|
|
|
|
|
int i;
|
|
|
|
|
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
ospf_lsa_header_dump(lsa->data);
|
2003-03-17 02:10:58 +01:00
|
|
|
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
olsa = (struct opaque_lsa *)lsa->data;
|
2003-03-17 02:10:58 +01:00
|
|
|
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
opaquelen = lsa->size - OSPF_LSA_HEADER_SIZE;
|
2019-03-14 19:41:15 +01:00
|
|
|
zlog_debug("apiserver_lsa_print: opaquelen=%d", opaquelen);
|
2003-03-17 02:10:58 +01:00
|
|
|
|
|
|
|
|
for (i = 0; i < opaquelen; i++) {
|
2004-12-08 18:28:56 +01:00
|
|
|
zlog_debug("0x%x ", olsa->mydata[i]);
|
2003-03-17 02:10:58 +01:00
|
|
|
}
|
2019-03-14 19:41:15 +01:00
|
|
|
zlog_debug(" ");
|
2003-03-17 02:10:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* -----------------------------------------------------------
|
|
|
|
|
* Generic messages
|
|
|
|
|
* -----------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
2018-03-27 21:13:34 +02:00
|
|
|
struct msg *msg_new(uint8_t msgtype, void *msgbody, uint32_t seqnum,
|
|
|
|
|
uint16_t msglen)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
|
|
|
|
struct msg *new;
|
|
|
|
|
|
2008-08-18 23:13:29 +02:00
|
|
|
new = XCALLOC(MTYPE_OSPF_API_MSG, sizeof(struct msg));
|
2003-03-17 02:10:58 +01:00
|
|
|
|
|
|
|
|
new->hdr.version = OSPF_API_VERSION;
|
|
|
|
|
new->hdr.msgtype = msgtype;
|
|
|
|
|
new->hdr.msglen = htons(msglen);
|
|
|
|
|
new->hdr.msgseq = htonl(seqnum);
|
|
|
|
|
|
|
|
|
|
new->s = stream_new(msglen);
|
|
|
|
|
assert(new->s);
|
|
|
|
|
stream_put(new->s, msgbody, msglen);
|
|
|
|
|
|
|
|
|
|
return new;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Duplicate a message by copying content. */
|
|
|
|
|
struct msg *msg_dup(struct msg *msg)
|
|
|
|
|
{
|
|
|
|
|
struct msg *new;
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
size_t size;
|
2003-03-17 02:10:58 +01:00
|
|
|
|
|
|
|
|
assert(msg);
|
|
|
|
|
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
size = ntohs(msg->hdr.msglen);
|
|
|
|
|
if (size > OSPF_MAX_LSA_SIZE)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
new = msg_new(msg->hdr.msgtype, STREAM_DATA(msg->s),
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
ntohl(msg->hdr.msgseq), size);
|
2003-03-17 02:10:58 +01:00
|
|
|
return new;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* XXX only for testing, will be removed */
|
|
|
|
|
|
|
|
|
|
struct nametab {
|
|
|
|
|
int value;
|
|
|
|
|
const char *name;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const char *ospf_api_typename(int msgtype)
|
|
|
|
|
{
|
|
|
|
|
struct nametab NameTab[] = {
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_REGISTER_OPAQUETYPE, "Register opaque-type",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_UNREGISTER_OPAQUETYPE, "Unregister opaque-type",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_REGISTER_EVENT, "Register event",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_SYNC_LSDB, "Sync LSDB",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_ORIGINATE_REQUEST, "Originate request",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_DELETE_REQUEST, "Delete request",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_REPLY, "Reply",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_READY_NOTIFY, "Ready notify",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_LSA_UPDATE_NOTIFY, "LSA update notify",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_LSA_DELETE_NOTIFY, "LSA delete notify",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_NEW_IF, "New interface",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_DEL_IF, "Del interface",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_ISM_CHANGE, "ISM change",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
MSG_NSM_CHANGE, "NSM change",
|
2017-07-17 14:03:14 +02:00
|
|
|
},
|
2022-06-01 21:25:35 +02:00
|
|
|
{
|
|
|
|
|
MSG_REACHABLE_CHANGE,
|
|
|
|
|
"Reachable change",
|
|
|
|
|
},
|
2003-03-17 02:10:58 +01:00
|
|
|
};
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2012-09-26 10:39:10 +02:00
|
|
|
int i, n = array_size(NameTab);
|
2003-03-17 02:10:58 +01:00
|
|
|
const char *name = NULL;
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
for (i = 0; i < n; i++) {
|
|
|
|
|
if (NameTab[i].value == msgtype) {
|
|
|
|
|
name = NameTab[i].name;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2017-07-17 14:03:14 +02:00
|
|
|
}
|
|
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
return name ? name : "?";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const char *ospf_api_errname(int errcode)
|
|
|
|
|
{
|
|
|
|
|
struct nametab NameTab[] = {
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
OSPF_API_OK, "OK",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
OSPF_API_NOSUCHINTERFACE, "No such interface",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
OSPF_API_NOSUCHAREA, "No such area",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
OSPF_API_NOSUCHLSA, "No such LSA",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
OSPF_API_ILLEGALLSATYPE, "Illegal LSA type",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
OSPF_API_OPAQUETYPEINUSE, "Opaque type in use",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
OSPF_API_OPAQUETYPENOTREGISTERED,
|
|
|
|
|
"Opaque type not registered",
|
|
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
OSPF_API_NOTREADY, "Not ready",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
OSPF_API_NOMEMORY, "No memory",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
OSPF_API_ERROR, "Other error",
|
2003-03-17 02:10:58 +01:00
|
|
|
},
|
|
|
|
|
{
|
2017-07-22 14:52:33 +02:00
|
|
|
OSPF_API_UNDEF, "Undefined",
|
2017-07-17 14:03:14 +02:00
|
|
|
},
|
2003-03-17 02:10:58 +01:00
|
|
|
};
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2012-09-26 10:39:10 +02:00
|
|
|
int i, n = array_size(NameTab);
|
2003-03-17 02:10:58 +01:00
|
|
|
const char *name = NULL;
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
for (i = 0; i < n; i++) {
|
|
|
|
|
if (NameTab[i].value == errcode) {
|
|
|
|
|
name = NameTab[i].name;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2017-07-17 14:03:14 +02:00
|
|
|
}
|
|
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
return name ? name : "?";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void msg_print(struct msg *msg)
|
|
|
|
|
{
|
|
|
|
|
if (!msg) {
|
2019-03-14 19:41:15 +01:00
|
|
|
zlog_debug("msg_print msg=NULL!");
|
2003-03-17 02:10:58 +01:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* API message common header part. */
|
2011-04-11 17:28:16 +02:00
|
|
|
zlog_debug("API-msg [%s]: type(%d),len(%d),seq(%lu),data(%p),size(%zd)",
|
2003-03-17 02:10:58 +01:00
|
|
|
ospf_api_typename(msg->hdr.msgtype), msg->hdr.msgtype,
|
|
|
|
|
ntohs(msg->hdr.msglen),
|
|
|
|
|
(unsigned long)ntohl(msg->hdr.msgseq), STREAM_DATA(msg->s),
|
|
|
|
|
STREAM_SIZE(msg->s));
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void msg_free(struct msg *msg)
|
|
|
|
|
{
|
|
|
|
|
if (msg->s)
|
|
|
|
|
stream_free(msg->s);
|
|
|
|
|
|
|
|
|
|
XFREE(MTYPE_OSPF_API_MSG, msg);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Set sequence number of message */
|
2018-03-27 21:13:34 +02:00
|
|
|
void msg_set_seq(struct msg *msg, uint32_t seqnr)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
|
|
|
|
assert(msg);
|
|
|
|
|
msg->hdr.msgseq = htonl(seqnr);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Get sequence number of message */
|
2018-03-27 21:13:34 +02:00
|
|
|
uint32_t msg_get_seq(struct msg *msg)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
|
|
|
|
assert(msg);
|
|
|
|
|
return ntohl(msg->hdr.msgseq);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* -----------------------------------------------------------
|
|
|
|
|
* Message fifo queues
|
|
|
|
|
* -----------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
2019-01-24 10:12:36 +01:00
|
|
|
struct msg_fifo *msg_fifo_new(void)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
2008-08-18 23:13:29 +02:00
|
|
|
return XCALLOC(MTYPE_OSPF_API_FIFO, sizeof(struct msg_fifo));
|
2003-03-17 02:10:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Add new message to fifo. */
|
|
|
|
|
void msg_fifo_push(struct msg_fifo *fifo, struct msg *msg)
|
|
|
|
|
{
|
|
|
|
|
if (fifo->tail)
|
|
|
|
|
fifo->tail->next = msg;
|
|
|
|
|
else
|
|
|
|
|
fifo->head = msg;
|
|
|
|
|
|
|
|
|
|
fifo->tail = msg;
|
|
|
|
|
fifo->count++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Remove first message from fifo. */
|
|
|
|
|
struct msg *msg_fifo_pop(struct msg_fifo *fifo)
|
|
|
|
|
{
|
|
|
|
|
struct msg *msg;
|
|
|
|
|
|
|
|
|
|
msg = fifo->head;
|
|
|
|
|
if (msg) {
|
|
|
|
|
fifo->head = msg->next;
|
|
|
|
|
|
|
|
|
|
if (fifo->head == NULL)
|
|
|
|
|
fifo->tail = NULL;
|
|
|
|
|
|
|
|
|
|
fifo->count--;
|
|
|
|
|
}
|
|
|
|
|
return msg;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Return first fifo entry but do not remove it. */
|
|
|
|
|
struct msg *msg_fifo_head(struct msg_fifo *fifo)
|
|
|
|
|
{
|
|
|
|
|
return fifo->head;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Flush message fifo. */
|
|
|
|
|
void msg_fifo_flush(struct msg_fifo *fifo)
|
|
|
|
|
{
|
|
|
|
|
struct msg *op;
|
|
|
|
|
struct msg *next;
|
|
|
|
|
|
|
|
|
|
for (op = fifo->head; op; op = next) {
|
|
|
|
|
next = op->next;
|
|
|
|
|
msg_free(op);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fifo->head = fifo->tail = NULL;
|
|
|
|
|
fifo->count = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Free API message fifo. */
|
|
|
|
|
void msg_fifo_free(struct msg_fifo *fifo)
|
|
|
|
|
{
|
|
|
|
|
msg_fifo_flush(fifo);
|
|
|
|
|
|
|
|
|
|
XFREE(MTYPE_OSPF_API_FIFO, fifo);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct msg *msg_read(int fd)
|
|
|
|
|
{
|
|
|
|
|
struct msg *msg;
|
|
|
|
|
struct apimsghdr hdr;
|
2018-03-27 21:13:34 +02:00
|
|
|
uint8_t buf[OSPF_API_MAX_MSG_SIZE];
|
2020-04-21 14:09:58 +02:00
|
|
|
ssize_t bodylen;
|
|
|
|
|
ssize_t rlen;
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
/* Read message header */
|
2018-03-27 21:13:34 +02:00
|
|
|
rlen = readn(fd, (uint8_t *)&hdr, sizeof(struct apimsghdr));
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
if (rlen < 0) {
|
|
|
|
|
zlog_warn("msg_read: readn %s", safe_strerror(errno));
|
|
|
|
|
return NULL;
|
|
|
|
|
} else if (rlen == 0) {
|
|
|
|
|
zlog_warn("msg_read: Connection closed by peer");
|
|
|
|
|
return NULL;
|
|
|
|
|
} else if (rlen != sizeof(struct apimsghdr)) {
|
2004-11-20 03:06:59 +01:00
|
|
|
zlog_warn("msg_read: Cannot read message header!");
|
2003-03-17 02:10:58 +01:00
|
|
|
return NULL;
|
|
|
|
|
}
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
/* Check version of API protocol */
|
|
|
|
|
if (hdr.version != OSPF_API_VERSION) {
|
|
|
|
|
zlog_warn("msg_read: OSPF API protocol version mismatch");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
/* Determine body length. */
|
|
|
|
|
bodylen = ntohs(hdr.msglen);
|
2020-04-21 14:09:58 +02:00
|
|
|
if (bodylen > (ssize_t)sizeof(buf)) {
|
|
|
|
|
zlog_warn("%s: Body Length of message greater than what we can read",
|
|
|
|
|
__func__);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2020-04-21 14:09:58 +02:00
|
|
|
if (bodylen > 0) {
|
2003-03-17 02:10:58 +01:00
|
|
|
/* Read message body */
|
|
|
|
|
rlen = readn(fd, buf, bodylen);
|
|
|
|
|
if (rlen < 0) {
|
2004-11-20 03:06:59 +01:00
|
|
|
zlog_warn("msg_read: readn %s", safe_strerror(errno));
|
2003-03-17 02:10:58 +01:00
|
|
|
return NULL;
|
|
|
|
|
} else if (rlen == 0) {
|
|
|
|
|
zlog_warn("msg_read: Connection closed by peer");
|
|
|
|
|
return NULL;
|
|
|
|
|
} else if (rlen != bodylen) {
|
|
|
|
|
zlog_warn("msg_read: Cannot read message body!");
|
|
|
|
|
return NULL;
|
2017-07-17 14:03:14 +02:00
|
|
|
}
|
2003-03-17 02:10:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Allocate new message */
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
msg = msg_new(hdr.msgtype, buf, ntohl(hdr.msgseq), bodylen);
|
2003-03-17 02:10:58 +01:00
|
|
|
|
|
|
|
|
return msg;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int msg_write(int fd, struct msg *msg)
|
|
|
|
|
{
|
2018-03-27 21:13:34 +02:00
|
|
|
uint8_t buf[OSPF_API_MAX_MSG_SIZE];
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
uint16_t l;
|
2003-03-17 02:10:58 +01:00
|
|
|
int wlen;
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
assert(msg);
|
|
|
|
|
assert(msg->s);
|
2017-07-17 14:03:14 +02:00
|
|
|
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
/* Length of OSPF LSA payload */
|
|
|
|
|
l = ntohs(msg->hdr.msglen);
|
|
|
|
|
if (l > OSPF_MAX_LSA_SIZE) {
|
|
|
|
|
zlog_warn("%s: wrong LSA size %d", __func__, l);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
/* Make contiguous memory buffer for message */
|
|
|
|
|
memcpy(buf, &msg->hdr, sizeof(struct apimsghdr));
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
memcpy(buf + sizeof(struct apimsghdr), STREAM_DATA(msg->s), l);
|
2017-07-17 14:03:14 +02:00
|
|
|
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
/* Total length of OSPF API Message */
|
|
|
|
|
l += sizeof(struct apimsghdr);
|
2003-03-17 02:10:58 +01:00
|
|
|
wlen = writen(fd, buf, l);
|
|
|
|
|
if (wlen < 0) {
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
zlog_warn("%s: writen %s", __func__, safe_strerror(errno));
|
2003-03-17 02:10:58 +01:00
|
|
|
return -1;
|
|
|
|
|
} else if (wlen == 0) {
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
zlog_warn("%s: Connection closed by peer", __func__);
|
2003-03-17 02:10:58 +01:00
|
|
|
return -1;
|
|
|
|
|
} else if (wlen != l) {
|
ospfd: Correct Coverity defects
When browsing or parsing OSPF LSA TLVs, we need to use the LSA length which is
part of the LSA header. This length, encoded in 16 bits, must be first
converted to host byte order with ntohs() function. However, Coverity Scan
considers that ntohs() function return TAINTED data. Thus, when the length is
used to control for() loop, Coverity Scan marks this part of the code as defect
with "Untrusted Loop Bound" due to the usage of Tainted variable. Similar
problems occur when browsing sub-TLV where length is extracted with ntohs().
To overcome this limitation, a size attribute has been added to the ospf_lsa
structure. The size is set when lsa->data buffer is allocated. In addition,
when an OSPF packet is received, the size of the payload is controlled before
contains is processed. For OSPF LSA, this allow a secure buffer allocation.
Thus, new size attribute contains the exact buffer allocation allowing a
strict control during TLV browsing.
This patch adds extra control to bound for() loop during TLV browsing to
avoid potential problem as suggested by Coverity Scan. Controls are based
on new size attribute of the ospf_lsa structure to avoid any ambiguity.
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
2021-04-06 12:09:25 +02:00
|
|
|
zlog_warn("%s: Cannot write API message", __func__);
|
2003-03-17 02:10:58 +01:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* -----------------------------------------------------------
|
|
|
|
|
* Specific messages
|
|
|
|
|
* -----------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
2018-03-27 21:13:34 +02:00
|
|
|
struct msg *new_msg_register_opaque_type(uint32_t seqnum, uint8_t ltype,
|
|
|
|
|
uint8_t otype)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
|
|
|
|
struct msg_register_opaque_type rmsg;
|
|
|
|
|
|
|
|
|
|
rmsg.lsatype = ltype;
|
|
|
|
|
rmsg.opaquetype = otype;
|
|
|
|
|
memset(&rmsg.pad, 0, sizeof(rmsg.pad));
|
|
|
|
|
|
|
|
|
|
return msg_new(MSG_REGISTER_OPAQUETYPE, &rmsg, seqnum,
|
|
|
|
|
sizeof(struct msg_register_opaque_type));
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-27 21:13:34 +02:00
|
|
|
struct msg *new_msg_register_event(uint32_t seqnum,
|
2003-03-17 02:10:58 +01:00
|
|
|
struct lsa_filter_type *filter)
|
|
|
|
|
{
|
2018-03-27 21:13:34 +02:00
|
|
|
uint8_t buf[OSPF_API_MAX_MSG_SIZE];
|
2003-03-17 02:10:58 +01:00
|
|
|
struct msg_register_event *emsg;
|
2015-05-20 03:29:14 +02:00
|
|
|
unsigned int len;
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
emsg = (struct msg_register_event *)buf;
|
|
|
|
|
len = sizeof(struct msg_register_event)
|
|
|
|
|
+ filter->num_areas * sizeof(struct in_addr);
|
|
|
|
|
emsg->filter.typemask = htons(filter->typemask);
|
|
|
|
|
emsg->filter.origin = filter->origin;
|
|
|
|
|
emsg->filter.num_areas = filter->num_areas;
|
ospfd: CVE-2013-2236, stack overrun in apiserver
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
to an exploitable stack overflow.
For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option
If either of these does not hold, the relevant code is not executed and
the issue does not get triggered.
Since the issue occurs on receiving large LSAs (larger than 1488 bytes),
it is possible for this to happen during normal operation of a network.
In particular, if there is an OSPF router with a large number of
interfaces, the Router-LSA of that router may exceed 1488 bytes and
trigger this, leading to an ospfd crash.
For an attacker to exploit this, s/he must be able to inject valid LSAs
into the OSPF domain. Any best-practice protection measure (using
crypto authentication, restricting OSPF to internal interfaces, packet
filtering protocol 89, etc.) will prevent exploitation. On top of that,
remote (not on an OSPF-speaking network segment) attackers will have
difficulties bringing up the adjacency needed to inject a LSA.
This patch only performs minimal changes to remove the possibility of a
stack overrun. The OSPF API in general is quite ugly and needs a
rewrite.
Reported-by: Ricky Charlet <ricky.charlet@hp.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-08 23:05:28 +02:00
|
|
|
if (len > sizeof(buf))
|
|
|
|
|
len = sizeof(buf);
|
|
|
|
|
/* API broken - missing memcpy to fill data */
|
2003-03-17 02:10:58 +01:00
|
|
|
return msg_new(MSG_REGISTER_EVENT, emsg, seqnum, len);
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-27 21:13:34 +02:00
|
|
|
struct msg *new_msg_sync_lsdb(uint32_t seqnum, struct lsa_filter_type *filter)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
2018-03-27 21:13:34 +02:00
|
|
|
uint8_t buf[OSPF_API_MAX_MSG_SIZE];
|
2003-03-17 02:10:58 +01:00
|
|
|
struct msg_sync_lsdb *smsg;
|
2015-05-20 03:29:14 +02:00
|
|
|
unsigned int len;
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
smsg = (struct msg_sync_lsdb *)buf;
|
|
|
|
|
len = sizeof(struct msg_sync_lsdb)
|
|
|
|
|
+ filter->num_areas * sizeof(struct in_addr);
|
|
|
|
|
smsg->filter.typemask = htons(filter->typemask);
|
|
|
|
|
smsg->filter.origin = filter->origin;
|
|
|
|
|
smsg->filter.num_areas = filter->num_areas;
|
ospfd: CVE-2013-2236, stack overrun in apiserver
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
to an exploitable stack overflow.
For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option
If either of these does not hold, the relevant code is not executed and
the issue does not get triggered.
Since the issue occurs on receiving large LSAs (larger than 1488 bytes),
it is possible for this to happen during normal operation of a network.
In particular, if there is an OSPF router with a large number of
interfaces, the Router-LSA of that router may exceed 1488 bytes and
trigger this, leading to an ospfd crash.
For an attacker to exploit this, s/he must be able to inject valid LSAs
into the OSPF domain. Any best-practice protection measure (using
crypto authentication, restricting OSPF to internal interfaces, packet
filtering protocol 89, etc.) will prevent exploitation. On top of that,
remote (not on an OSPF-speaking network segment) attackers will have
difficulties bringing up the adjacency needed to inject a LSA.
This patch only performs minimal changes to remove the possibility of a
stack overrun. The OSPF API in general is quite ugly and needs a
rewrite.
Reported-by: Ricky Charlet <ricky.charlet@hp.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-08 23:05:28 +02:00
|
|
|
if (len > sizeof(buf))
|
|
|
|
|
len = sizeof(buf);
|
|
|
|
|
/* API broken - missing memcpy to fill data */
|
2003-03-17 02:10:58 +01:00
|
|
|
return msg_new(MSG_SYNC_LSDB, smsg, seqnum, len);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2018-03-27 21:13:34 +02:00
|
|
|
struct msg *new_msg_originate_request(uint32_t seqnum, struct in_addr ifaddr,
|
2003-03-17 02:10:58 +01:00
|
|
|
struct in_addr area_id,
|
|
|
|
|
struct lsa_header *data)
|
|
|
|
|
{
|
|
|
|
|
struct msg_originate_request *omsg;
|
2015-05-20 03:29:14 +02:00
|
|
|
unsigned int omsglen;
|
2003-03-17 02:10:58 +01:00
|
|
|
char buf[OSPF_API_MAX_MSG_SIZE];
|
2018-06-25 11:19:55 +02:00
|
|
|
size_t off_data = offsetof(struct msg_originate_request, data);
|
|
|
|
|
size_t data_maxs = sizeof(buf) - off_data;
|
|
|
|
|
struct lsa_header *omsg_data = (struct lsa_header *)&buf[off_data];
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
omsg = (struct msg_originate_request *)buf;
|
|
|
|
|
omsg->ifaddr = ifaddr;
|
|
|
|
|
omsg->area_id = area_id;
|
2017-07-17 14:03:14 +02:00
|
|
|
|
ospfd: CVE-2013-2236, stack overrun in apiserver
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
to an exploitable stack overflow.
For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option
If either of these does not hold, the relevant code is not executed and
the issue does not get triggered.
Since the issue occurs on receiving large LSAs (larger than 1488 bytes),
it is possible for this to happen during normal operation of a network.
In particular, if there is an OSPF router with a large number of
interfaces, the Router-LSA of that router may exceed 1488 bytes and
trigger this, leading to an ospfd crash.
For an attacker to exploit this, s/he must be able to inject valid LSAs
into the OSPF domain. Any best-practice protection measure (using
crypto authentication, restricting OSPF to internal interfaces, packet
filtering protocol 89, etc.) will prevent exploitation. On top of that,
remote (not on an OSPF-speaking network segment) attackers will have
difficulties bringing up the adjacency needed to inject a LSA.
This patch only performs minimal changes to remove the possibility of a
stack overrun. The OSPF API in general is quite ugly and needs a
rewrite.
Reported-by: Ricky Charlet <ricky.charlet@hp.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-08 23:05:28 +02:00
|
|
|
omsglen = ntohs(data->length);
|
2018-06-25 11:19:55 +02:00
|
|
|
if (omsglen > data_maxs)
|
|
|
|
|
omsglen = data_maxs;
|
|
|
|
|
memcpy(omsg_data, data, omsglen);
|
ospfd: CVE-2013-2236, stack overrun in apiserver
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
to an exploitable stack overflow.
For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option
If either of these does not hold, the relevant code is not executed and
the issue does not get triggered.
Since the issue occurs on receiving large LSAs (larger than 1488 bytes),
it is possible for this to happen during normal operation of a network.
In particular, if there is an OSPF router with a large number of
interfaces, the Router-LSA of that router may exceed 1488 bytes and
trigger this, leading to an ospfd crash.
For an attacker to exploit this, s/he must be able to inject valid LSAs
into the OSPF domain. Any best-practice protection measure (using
crypto authentication, restricting OSPF to internal interfaces, packet
filtering protocol 89, etc.) will prevent exploitation. On top of that,
remote (not on an OSPF-speaking network segment) attackers will have
difficulties bringing up the adjacency needed to inject a LSA.
This patch only performs minimal changes to remove the possibility of a
stack overrun. The OSPF API in general is quite ugly and needs a
rewrite.
Reported-by: Ricky Charlet <ricky.charlet@hp.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-08 23:05:28 +02:00
|
|
|
omsglen += sizeof(struct msg_originate_request)
|
|
|
|
|
- sizeof(struct lsa_header);
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
return msg_new(MSG_ORIGINATE_REQUEST, omsg, seqnum, omsglen);
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-21 13:12:11 +02:00
|
|
|
struct msg *new_msg_delete_request(uint32_t seqnum, struct in_addr addr,
|
2018-03-27 21:13:34 +02:00
|
|
|
uint8_t lsa_type, uint8_t opaque_type,
|
2022-10-16 17:19:37 +02:00
|
|
|
uint32_t opaque_id, uint8_t flags)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
|
|
|
|
struct msg_delete_request dmsg;
|
2022-10-21 13:12:11 +02:00
|
|
|
dmsg.addr = addr;
|
2003-03-17 02:10:58 +01:00
|
|
|
dmsg.lsa_type = lsa_type;
|
|
|
|
|
dmsg.opaque_type = opaque_type;
|
|
|
|
|
dmsg.opaque_id = htonl(opaque_id);
|
|
|
|
|
memset(&dmsg.pad, 0, sizeof(dmsg.pad));
|
2022-10-16 17:19:37 +02:00
|
|
|
dmsg.flags = flags;
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
return msg_new(MSG_DELETE_REQUEST, &dmsg, seqnum,
|
|
|
|
|
sizeof(struct msg_delete_request));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2018-03-27 21:13:34 +02:00
|
|
|
struct msg *new_msg_reply(uint32_t seqnr, uint8_t rc)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
|
|
|
|
struct msg *msg;
|
|
|
|
|
struct msg_reply rmsg;
|
|
|
|
|
|
|
|
|
|
/* Set return code */
|
|
|
|
|
rmsg.errcode = rc;
|
|
|
|
|
memset(&rmsg.pad, 0, sizeof(rmsg.pad));
|
|
|
|
|
|
|
|
|
|
msg = msg_new(MSG_REPLY, &rmsg, seqnr, sizeof(struct msg_reply));
|
|
|
|
|
|
|
|
|
|
return msg;
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-27 21:13:34 +02:00
|
|
|
struct msg *new_msg_ready_notify(uint32_t seqnr, uint8_t lsa_type,
|
|
|
|
|
uint8_t opaque_type, struct in_addr addr)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
|
|
|
|
struct msg_ready_notify rmsg;
|
|
|
|
|
|
|
|
|
|
rmsg.lsa_type = lsa_type;
|
|
|
|
|
rmsg.opaque_type = opaque_type;
|
|
|
|
|
memset(&rmsg.pad, 0, sizeof(rmsg.pad));
|
|
|
|
|
rmsg.addr = addr;
|
|
|
|
|
|
|
|
|
|
return msg_new(MSG_READY_NOTIFY, &rmsg, seqnr,
|
|
|
|
|
sizeof(struct msg_ready_notify));
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-27 21:13:34 +02:00
|
|
|
struct msg *new_msg_new_if(uint32_t seqnr, struct in_addr ifaddr,
|
2003-03-17 02:10:58 +01:00
|
|
|
struct in_addr area_id)
|
|
|
|
|
{
|
|
|
|
|
struct msg_new_if nmsg;
|
|
|
|
|
|
|
|
|
|
nmsg.ifaddr = ifaddr;
|
|
|
|
|
nmsg.area_id = area_id;
|
|
|
|
|
|
|
|
|
|
return msg_new(MSG_NEW_IF, &nmsg, seqnr, sizeof(struct msg_new_if));
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-27 21:13:34 +02:00
|
|
|
struct msg *new_msg_del_if(uint32_t seqnr, struct in_addr ifaddr)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
|
|
|
|
struct msg_del_if dmsg;
|
|
|
|
|
|
|
|
|
|
dmsg.ifaddr = ifaddr;
|
|
|
|
|
|
|
|
|
|
return msg_new(MSG_DEL_IF, &dmsg, seqnr, sizeof(struct msg_del_if));
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-27 21:13:34 +02:00
|
|
|
struct msg *new_msg_ism_change(uint32_t seqnr, struct in_addr ifaddr,
|
|
|
|
|
struct in_addr area_id, uint8_t status)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
|
|
|
|
struct msg_ism_change imsg;
|
|
|
|
|
|
|
|
|
|
imsg.ifaddr = ifaddr;
|
|
|
|
|
imsg.area_id = area_id;
|
|
|
|
|
imsg.status = status;
|
|
|
|
|
memset(&imsg.pad, 0, sizeof(imsg.pad));
|
|
|
|
|
|
|
|
|
|
return msg_new(MSG_ISM_CHANGE, &imsg, seqnr,
|
|
|
|
|
sizeof(struct msg_ism_change));
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-27 21:13:34 +02:00
|
|
|
struct msg *new_msg_nsm_change(uint32_t seqnr, struct in_addr ifaddr,
|
2003-03-17 02:10:58 +01:00
|
|
|
struct in_addr nbraddr, struct in_addr router_id,
|
2018-03-27 21:13:34 +02:00
|
|
|
uint8_t status)
|
2003-03-17 02:10:58 +01:00
|
|
|
{
|
|
|
|
|
struct msg_nsm_change nmsg;
|
|
|
|
|
|
|
|
|
|
nmsg.ifaddr = ifaddr;
|
|
|
|
|
nmsg.nbraddr = nbraddr;
|
|
|
|
|
nmsg.router_id = router_id;
|
|
|
|
|
nmsg.status = status;
|
|
|
|
|
memset(&nmsg.pad, 0, sizeof(nmsg.pad));
|
|
|
|
|
|
|
|
|
|
return msg_new(MSG_NSM_CHANGE, &nmsg, seqnr,
|
|
|
|
|
sizeof(struct msg_nsm_change));
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-27 21:13:34 +02:00
|
|
|
struct msg *new_msg_lsa_change_notify(uint8_t msgtype, uint32_t seqnum,
|
2003-03-17 02:10:58 +01:00
|
|
|
struct in_addr ifaddr,
|
|
|
|
|
struct in_addr area_id,
|
2018-03-27 21:13:34 +02:00
|
|
|
uint8_t is_self_originated,
|
2003-03-17 02:10:58 +01:00
|
|
|
struct lsa_header *data)
|
|
|
|
|
{
|
2018-03-27 21:13:34 +02:00
|
|
|
uint8_t buf[OSPF_API_MAX_MSG_SIZE];
|
2003-03-17 02:10:58 +01:00
|
|
|
struct msg_lsa_change_notify *nmsg;
|
2015-05-20 03:29:14 +02:00
|
|
|
unsigned int len;
|
2018-06-25 11:19:55 +02:00
|
|
|
size_t off_data = offsetof(struct msg_lsa_change_notify, data);
|
|
|
|
|
size_t data_maxs = sizeof(buf) - off_data;
|
|
|
|
|
struct lsa_header *nmsg_data = (struct lsa_header *)&buf[off_data];
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
assert(data);
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
nmsg = (struct msg_lsa_change_notify *)buf;
|
|
|
|
|
nmsg->ifaddr = ifaddr;
|
|
|
|
|
nmsg->area_id = area_id;
|
|
|
|
|
nmsg->is_self_originated = is_self_originated;
|
|
|
|
|
memset(&nmsg->pad, 0, sizeof(nmsg->pad));
|
2017-07-17 14:03:14 +02:00
|
|
|
|
ospfd: CVE-2013-2236, stack overrun in apiserver
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
to an exploitable stack overflow.
For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option
If either of these does not hold, the relevant code is not executed and
the issue does not get triggered.
Since the issue occurs on receiving large LSAs (larger than 1488 bytes),
it is possible for this to happen during normal operation of a network.
In particular, if there is an OSPF router with a large number of
interfaces, the Router-LSA of that router may exceed 1488 bytes and
trigger this, leading to an ospfd crash.
For an attacker to exploit this, s/he must be able to inject valid LSAs
into the OSPF domain. Any best-practice protection measure (using
crypto authentication, restricting OSPF to internal interfaces, packet
filtering protocol 89, etc.) will prevent exploitation. On top of that,
remote (not on an OSPF-speaking network segment) attackers will have
difficulties bringing up the adjacency needed to inject a LSA.
This patch only performs minimal changes to remove the possibility of a
stack overrun. The OSPF API in general is quite ugly and needs a
rewrite.
Reported-by: Ricky Charlet <ricky.charlet@hp.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-08 23:05:28 +02:00
|
|
|
len = ntohs(data->length);
|
2018-06-25 11:19:55 +02:00
|
|
|
if (len > data_maxs)
|
|
|
|
|
len = data_maxs;
|
|
|
|
|
memcpy(nmsg_data, data, len);
|
ospfd: CVE-2013-2236, stack overrun in apiserver
the OSPF API-server (exporting the LSDB and allowing announcement of
Opaque-LSAs) writes past the end of fixed on-stack buffers. This leads
to an exploitable stack overflow.
For this condition to occur, the following two conditions must be true:
- Quagga is configured with --enable-opaque-lsa
- ospfd is started with the "-a" command line option
If either of these does not hold, the relevant code is not executed and
the issue does not get triggered.
Since the issue occurs on receiving large LSAs (larger than 1488 bytes),
it is possible for this to happen during normal operation of a network.
In particular, if there is an OSPF router with a large number of
interfaces, the Router-LSA of that router may exceed 1488 bytes and
trigger this, leading to an ospfd crash.
For an attacker to exploit this, s/he must be able to inject valid LSAs
into the OSPF domain. Any best-practice protection measure (using
crypto authentication, restricting OSPF to internal interfaces, packet
filtering protocol 89, etc.) will prevent exploitation. On top of that,
remote (not on an OSPF-speaking network segment) attackers will have
difficulties bringing up the adjacency needed to inject a LSA.
This patch only performs minimal changes to remove the possibility of a
stack overrun. The OSPF API in general is quite ugly and needs a
rewrite.
Reported-by: Ricky Charlet <ricky.charlet@hp.com>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2013-07-08 23:05:28 +02:00
|
|
|
len += sizeof(struct msg_lsa_change_notify) - sizeof(struct lsa_header);
|
2017-07-17 14:03:14 +02:00
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
return msg_new(msgtype, nmsg, seqnum, len);
|
|
|
|
|
}
|
|
|
|
|
|
2022-06-01 21:25:35 +02:00
|
|
|
struct msg *new_msg_reachable_change(uint32_t seqnum, uint16_t nadd,
|
|
|
|
|
struct in_addr *add, uint16_t nremove,
|
|
|
|
|
struct in_addr *remove)
|
|
|
|
|
{
|
|
|
|
|
uint8_t buf[OSPF_API_MAX_MSG_SIZE];
|
|
|
|
|
struct msg_reachable_change *nmsg = (void *)buf;
|
|
|
|
|
const uint insz = sizeof(*nmsg->router_ids);
|
|
|
|
|
const uint nmax = (sizeof(buf) - sizeof(*nmsg)) / insz;
|
|
|
|
|
uint len;
|
|
|
|
|
|
|
|
|
|
if (nadd > nmax)
|
|
|
|
|
nadd = nmax;
|
|
|
|
|
if (nremove > (nmax - nadd))
|
|
|
|
|
nremove = (nmax - nadd);
|
|
|
|
|
|
|
|
|
|
if (nadd)
|
|
|
|
|
memcpy(nmsg->router_ids, add, nadd * insz);
|
|
|
|
|
if (nremove)
|
|
|
|
|
memcpy(&nmsg->router_ids[nadd], remove, nremove * insz);
|
|
|
|
|
|
|
|
|
|
nmsg->nadd = htons(nadd);
|
|
|
|
|
nmsg->nremove = htons(nremove);
|
|
|
|
|
len = sizeof(*nmsg) + insz * (nadd + nremove);
|
|
|
|
|
|
|
|
|
|
return msg_new(MSG_REACHABLE_CHANGE, nmsg, seqnum, len);
|
|
|
|
|
}
|
|
|
|
|
|
2022-06-23 00:10:13 +02:00
|
|
|
struct msg *new_msg_router_id_change(uint32_t seqnum, struct in_addr router_id)
|
|
|
|
|
{
|
|
|
|
|
struct msg_router_id_change rmsg = {.router_id = router_id};
|
|
|
|
|
|
|
|
|
|
return msg_new(MSG_ROUTER_ID_CHANGE, &rmsg, seqnum,
|
|
|
|
|
sizeof(struct msg_router_id_change));
|
|
|
|
|
}
|
|
|
|
|
|
2003-03-17 02:10:58 +01:00
|
|
|
#endif /* SUPPORT_OSPF_API */
|