From: Ondrej Zajicek <santiago@crfreenet.org>
Date: Mon, 20 Jun 2011 05:37:55 +0000 (+0200)
Subject: Fixes a bug in OSPF causing DoS by an invalid packet.
X-Git-Tag: v1.3.2~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae85e28cf410cefe4f6e1cdf92510fbf9cea7ae0;p=thirdparty%2Fbird.git

Fixes a bug in OSPF causing DoS by an invalid packet.
---

diff --git a/proto/ospf/lsupd.c b/proto/ospf/lsupd.c
index 06b62ae21..b69d861d3 100644
--- a/proto/ospf/lsupd.c
+++ b/proto/ospf/lsupd.c
@@ -43,12 +43,12 @@ static void ospf_dump_lsupd(struct proto *p, struct ospf_lsupd_packet *pkt)
   u8 *pbuf= (u8 *) pkt;
   unsigned int offset = sizeof(struct ospf_lsupd_packet);
   unsigned int bound = ntohs(op->length) - sizeof(struct ospf_lsa_header);
-  unsigned int i, j;
+  unsigned int i, j, lsalen;
 
   j = ntohl(pkt->lsano);
   for (i = 0; i < j; i++)
     {
-      if ((offset > bound) || ((offset % 4) != 0))
+      if (offset > bound)
 	{
 	  log(L_TRACE "%s:     LSA      invalid", p->name);
 	  return;
@@ -56,7 +56,14 @@ static void ospf_dump_lsupd(struct proto *p, struct ospf_lsupd_packet *pkt)
 
       struct ospf_lsa_header *lsa = (void *) (pbuf + offset);
       ospf_dump_lsahdr(p, lsa);
-      offset += ntohs(lsa->length);
+      lsalen = ntohs(lsa->length);
+      offset += lsalen;
+
+      if (((lsalen % 4) != 0) || (lsalen <= sizeof(struct ospf_lsa_header)))
+	{
+	  log(L_TRACE "%s:     LSA      invalid", p->name);
+	  return;
+	}
     }
 }