Jerry/bird
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fixes a bug in OSPF causing DoS by an invalid packet.

Browse source
This commit is contained in:
Ondrej Zajicek 2011-06-20 07:37:55 +02:00
parent 61c96d7244
commit ae85e28cf4
1 changed files with 10 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
proto/ospf/lsupd.c
View file

@ -43,12 +43,12 @@ static void ospf_dump_lsupd(struct proto *p, struct ospf_lsupd_packet *pkt)
u8 *pbuf= (u8 *) pkt; u8 *pbuf= (u8 *) pkt;
unsigned int offset = sizeof(struct ospf_lsupd_packet); unsigned int offset = sizeof(struct ospf_lsupd_packet);
unsigned int bound = ntohs(op->length) - sizeof(struct ospf_lsa_header); unsigned int bound = ntohs(op->length) - sizeof(struct ospf_lsa_header);
unsigned int i, j; unsigned int i, j, lsalen;
j = ntohl(pkt->lsano); j = ntohl(pkt->lsano);
for (i = 0; i < j; i++) for (i = 0; i < j; i++)
{ {
if ((offset > bound) || ((offset % 4) != 0)) if (offset > bound)
{ {
log(L_TRACE "%s: LSA invalid", p->name); log(L_TRACE "%s: LSA invalid", p->name);
return; return;
@ -56,7 +56,14 @@ static void ospf_dump_lsupd(struct proto *p, struct ospf_lsupd_packet *pkt)
struct ospf_lsa_header *lsa = (void *) (pbuf + offset); struct ospf_lsa_header *lsa = (void *) (pbuf + offset);
ospf_dump_lsahdr(p, lsa); ospf_dump_lsahdr(p, lsa);
offset += ntohs(lsa->length); lsalen = ntohs(lsa->length);
offset += lsalen;
if (((lsalen % 4) != 0) || (lsalen <= sizeof(struct ospf_lsa_header)))
{
log(L_TRACE "%s: LSA invalid", p->name);
return;
}
} }
} }