From ab164971891c64126097eedca11d2f5586f1d8e7 Mon Sep 17 00:00:00 2001 From: Ondrej Zajicek Date: Tue, 29 Mar 2011 01:41:46 +0200 Subject: Fixes a nasty bug in OSPF. Sending malformed network prefixes in LSAs causes OSPF to crash just after the LSA is propagated to the other routers. --- proto/ospf/rt.c | 49 ++++++++++++++++++++++++++++++++++++------------- 1 file changed, 36 insertions(+), 13 deletions(-) (limited to 'proto/ospf/rt.c') diff --git a/proto/ospf/rt.c b/proto/ospf/rt.c index 2f9fe49..9e3f9d7 100644 --- a/proto/ospf/rt.c +++ b/proto/ospf/rt.c @@ -245,6 +245,13 @@ add_network(struct ospf_area *oa, ip_addr px, int pxlen, int metric, struct top_ .nhs = en->nhs }; + if (pxlen < 0 || pxlen > MAX_PREFIX_LENGTH) + { + log(L_WARN "%s: Invalid prefix in LSA (Type: %04x, Id: %R, Rt: %R)", + oa->po->proto.name, en->lsa.type, en->lsa.id, en->lsa.rt); + return; + } + if (en == oa->rt) { /* @@ -336,7 +343,8 @@ ospf_rt_spfa_rtlinks(struct ospf_area *oa, struct top_hash_entry *act, struct to { // struct proto *p = &oa->po->proto; struct proto_ospf *po = oa->po; - int i; + ip_addr prefix UNUSED; + int pxlen UNUSED, i; struct ospf_lsa_rt *rt = en->lsa_body; struct ospf_lsa_rt_link *rr = (struct ospf_lsa_rt_link *) (rt + 1); @@ -357,9 +365,9 @@ ospf_rt_spfa_rtlinks(struct ospf_area *oa, struct top_hash_entry *act, struct to * the same result by handing them here because add_network() * will keep the best (not the first) found route. */ - add_network(oa, ipa_from_u32(rtl->id), - ipa_mklen(ipa_from_u32(rtl->data)), - act->dist + rtl->metric, act, i); + prefix = ipa_from_u32(rtl->id & rtl->data); + pxlen = ipa_mklen(ipa_from_u32(rtl->data)); + add_network(oa, prefix, pxlen, act->dist + rtl->metric, act, i); break; #endif @@ -398,6 +406,8 @@ ospf_rt_spfa(struct ospf_area *oa) struct ospf_lsa_rt *rt; struct ospf_lsa_net *ln; struct top_hash_entry *act, *tmp; + ip_addr prefix UNUSED; + int pxlen UNUSED; u32 i, *rts; node *n; @@ -470,8 +480,9 @@ ospf_rt_spfa(struct ospf_area *oa) ln = act->lsa_body; #ifdef OSPFv2 - add_network(oa, ipa_and(ipa_from_u32(act->lsa.id), ln->netmask), - ipa_mklen(ln->netmask), act->dist, act, -1); + prefix = ipa_and(ipa_from_u32(act->lsa.id), ln->netmask); + pxlen = ipa_mklen(ln->netmask); + add_network(oa, prefix, pxlen, act->dist, act, -1); #endif rts = (u32 *) (ln + 1); @@ -618,8 +629,8 @@ ospf_rt_sum(struct ospf_area *oa) { #ifdef OSPFv2 struct ospf_lsa_sum *ls = en->lsa_body; - pxlen = ipa_mklen(ls->netmask); ip = ipa_and(ipa_from_u32(en->lsa.id), ls->netmask); + pxlen = ipa_mklen(ls->netmask); #else /* OSPFv3 */ u8 pxopts; u16 rest; @@ -630,6 +641,13 @@ ospf_rt_sum(struct ospf_area *oa) continue; #endif + if (pxlen < 0 || pxlen > MAX_PREFIX_LENGTH) + { + log(L_WARN "%s: Invalid prefix in LSA (Type: %04x, Id: %R, Rt: %R)", + p->name, en->lsa.type, en->lsa.id, en->lsa.rt); + continue; + } + metric = ls->metric & METRIC_MASK; options = 0; type = ORT_NET; @@ -695,7 +713,7 @@ ospf_rt_sum(struct ospf_area *oa) static void ospf_rt_sum_tr(struct ospf_area *oa) { - // struct proto *p = &oa->po->proto; + struct proto *p = &oa->po->proto; struct proto_ospf *po = oa->po; struct ospf_area *bb = po->backbone; ip_addr abrip; @@ -728,8 +746,8 @@ ospf_rt_sum_tr(struct ospf_area *oa) int pxlen; #ifdef OSPFv2 struct ospf_lsa_sum *ls = en->lsa_body; - pxlen = ipa_mklen(ls->netmask); ip = ipa_and(ipa_from_u32(en->lsa.id), ls->netmask); + pxlen = ipa_mklen(ls->netmask); #else /* OSPFv3 */ u8 pxopts; u16 rest; @@ -740,6 +758,13 @@ ospf_rt_sum_tr(struct ospf_area *oa) continue; #endif + if (pxlen < 0 || pxlen > MAX_PREFIX_LENGTH) + { + log(L_WARN "%s: Invalid prefix in LSA (Type: %04x, Id: %R, Rt: %R)", + p->name, en->lsa.type, en->lsa.id, en->lsa.rt); + continue; + } + metric = ls->metric & METRIC_MASK; re = fib_find(&po->rtf, &ip, pxlen); } @@ -1139,9 +1164,9 @@ ospf_ext_spf(struct proto_ospf *po) rt_tag = 0; #endif - if (pxlen < 0) + if (pxlen < 0 || pxlen > MAX_PREFIX_LENGTH) { - log(L_WARN "%s: Invalid mask in LSA (Type: %04x, Id: %R, Rt: %R)", + log(L_WARN "%s: Invalid prefix in LSA (Type: %04x, Id: %R, Rt: %R)", p->name, en->lsa.type, en->lsa.id, en->lsa.rt); continue; } @@ -1703,8 +1728,6 @@ again1: e->net = ne; e->pref = p->preference; - - DBG("Mod rte type %d - %I/%d via %I on iface %s, met %d\n", a0.source, nf->fn.prefix, nf->fn.pxlen, a0.gw, a0.iface ? a0.iface->name : "(none)", nf->n.metric1); rte_update(p->table, ne, p, p, e); -- cgit v1.2.3