diff options
| author | Ondrej Zajicek <santiago@crfreenet.org> | 2011-06-20 07:37:55 +0200 |
|---|---|---|
| committer | Ondrej Zajicek <santiago@crfreenet.org> | 2011-06-20 07:37:55 +0200 |
| commit | ae85e28cf410cefe4f6e1cdf92510fbf9cea7ae0 (patch) | |
| tree | 14fef82061a5fb035a16da5a42c50739f2815247 | |
| parent | 61c96d724464ee067e589b72ca9d10a2f7692901 (diff) | |
| download | bird-ae85e28cf410cefe4f6e1cdf92510fbf9cea7ae0.tar bird-ae85e28cf410cefe4f6e1cdf92510fbf9cea7ae0.zip | |
Fixes a bug in OSPF causing DoS by an invalid packet.
| -rw-r--r-- | proto/ospf/lsupd.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/proto/ospf/lsupd.c b/proto/ospf/lsupd.c index 06b62ae..b69d861 100644 --- a/proto/ospf/lsupd.c +++ b/proto/ospf/lsupd.c @@ -43,12 +43,12 @@ static void ospf_dump_lsupd(struct proto *p, struct ospf_lsupd_packet *pkt) u8 *pbuf= (u8 *) pkt; unsigned int offset = sizeof(struct ospf_lsupd_packet); unsigned int bound = ntohs(op->length) - sizeof(struct ospf_lsa_header); - unsigned int i, j; + unsigned int i, j, lsalen; j = ntohl(pkt->lsano); for (i = 0; i < j; i++) { - if ((offset > bound) || ((offset % 4) != 0)) + if (offset > bound) { log(L_TRACE "%s: LSA invalid", p->name); return; @@ -56,7 +56,14 @@ static void ospf_dump_lsupd(struct proto *p, struct ospf_lsupd_packet *pkt) struct ospf_lsa_header *lsa = (void *) (pbuf + offset); ospf_dump_lsahdr(p, lsa); - offset += ntohs(lsa->length); + lsalen = ntohs(lsa->length); + offset += lsalen; + + if (((lsalen % 4) != 0) || (lsalen <= sizeof(struct ospf_lsa_header))) + { + log(L_TRACE "%s: LSA invalid", p->name); + return; + } } } |