ospfd: Solved crash in RI parsing with OSPF TE

[odd22]

Iggy Frankovic discovered another ospfd crash when perfomring fuzzing of OSPF LSA packets. The crash occurs in ospf_te_parse_ri() function when attemping to read Segment Routing subTLVs. The original code doesn't check if the size of the SR subTLVs have the correct length. In presence of erronous LSA, this will cause a buffer overflow and ospfd crash.

This patch introduces new verification of the subTLVs size for Router Information TLV.

[aceelindem]

See a couple questions on RFC 8665 parsing.

[aceelindem]

The number of algorithms is variable - right? Why must there be 4? Shouldn't this be "< 1"?

[odd22]

Good Catch. In fact I need that the size is comprise between 1 and 4.

[odd22]

Just update the code to check that Algorithm size is in the interval [1 - 4]. Normally, 2 should be sufficient according to RFC8665 as only 2 algorithms have been defines (SPF and Strict SPF). This should be modified when Flex algo will be added latter.

[aceelindem]

Shouldn't all these checks break out if the size isn't the minimum, i.e., "< minimum" rather than "!=".

[odd22]

Well, yes and no. Yes when subTLV has variable size like you mention about the Algorithm, and no when subTLVs have fixed size. I'll check with SRGB, SRLB and MSD in which category they felt and change code accordingly.

[aceelindem]

SRGB and SRLB are fixed size today (RFC 8665) but could be extended with Sub-TLVs in future RFCs. This seems unlikely but I may be overlooking something. MSD allows for multiple MSD types today (RFC 8476). What I would do if it could be done without too much effort is just ignore values that aren't understood. However, I don't feel that strongly.

[odd22]

As per RFC8665,

Only a single SID/Label Sub-TLV MAY be advertised in the SID/Label Range TLV. If more than one SID/Label Sub-TLV is present, the SID/Label Range TLV MUST be ignored.

Thus, the size should not be exceeded 12 bytes. If there is more than one SID/Label Sub-TLV, the code MUST ignore the SRGB (or SRLB). Thus, but checking that the TLV size is exactly 12, we ensure that there is only one SID/Label Sub-TLV and that the SRGB or SRLB is acceptable. Regarding the size of the SID/Label sub-TLVs size, it could be 3 or 4 depending if the SID is an MPLS label (3 bytes) or an index (4 bytes). But, in any case, due to the fact that OSPF impose a 4 bytes alignment of TLV, there is an extra byte when SID is an MPLS label. Thus, in all case, from the SRGB or SRLB TLV point of view, the SID/Label SubTLV has already the same size and conduct to a TLV of 12 bytes. Again, if there new RFCs that extend SRGB / SRLB, we'll modify the code accordingly. For the moment, the code is supporting strictly RFC8665, not more.

Regarding MSD, as per RFC8476:

When multiple Node MSD TLVs are received from a given router, the
receiver MUST use the first occurrence of the TLV in the Router
Information (RI) LSA.

In addition, as per RFC8491, only one Node MSD Type has been defined. Thus, only one Node MSD is pertinent and supported. So, checking that there is one Node MSD and not more is correct. Again, if new RFC defin new MSD Type in the registry, we'll enhance the code. However, I changed the code to check that Node MSD size is not lower than the expected size as you purpose.

[odd22]

Update the code accordingly to the review and add a new commit for Extended Link LSA parser

[aceelindem]

See the comment on the remote interface address.

[aceelindem]

This check is ok since RFC 3630 indicates in section 2.4.2:

Only one Link TLV shall be carried in each LSA, allowing for fine
granularity changes in topology.

You might want to add a comment stating this.

[odd22]

Done

[aceelindem]

Ok - this will work since TLV_BODY_SIZE() rounds up to the 4 byte boundary so it doesn't matter whether a local label or offset is advertised as specified in section 5 of RFC 8665.

[odd22]

Yes. That's the purpose of the TLV_BODY_SIZE() macro. In fact, all TLV_ macros are dealing with the 4 bytes alignment.

[aceelindem]

RFC 3630 allows for multiple remote addresses in section 2.5.4 of RFC 3630.

[odd22]

Well, this is not part of the RFC3630. In fact, this subTLV is a Cisco proprietary one using the experimental type 32768. From what I could observed on Cisco router, I saw only one remote IP address. If you have some Cisco internal documents that explain this TLV, please share them to us.

[aceelindem]

Okay this is the OSPF Extended Link Opaque LSA. What confused me is that this is a general purpose LSA rather than a TE LSA.

[aceelindem]

Shouldn't you remove this check and only retain the first ALGORITHM_COUNT?

[odd22]

Well, the goal is to check that there is a valid size to avoid a problem in case of malformed LSA, DDoS ... that Iggy detected with fuzzing. Thus, I prefer to keep the control to let the code more robust.

[aceelindem]

My point was that RFC 8665 section 3.1 doesn't limit the number of algorithms advertised to 4. What you could do is parse all that are advertised and only retain the algorithms that are known to the implementation since those are the only ones that would make a difference. See https://www.iana.org/assignments/igp-parameters/igp-parameters.xhtml#igp-algorithm-types

[riw777]

no comments further than @aceelindem 's ...

[aceelindem]

Let's go ahead with this - while I would have allowed for the full extent of the sub-TLVs as allowed in the standards, I agree that the probability of these being advertised today is minimal.

[odd22]

Let's go ahead with this - while I would have allowed for the full extent of the sub-TLVs as allowed in the standards, I agree that the probability of these being advertised today is minimal.

The main goal of this PR is to enhance the original code to prevent ospfd crash against malformed LSA. Not to enhance or add new RFCs or features. We could discuss offline the list of improvement we need to add to ospfd.

[ton31337]

Could you fix frrbot styling issues before merging?

[odd22]

Could you fix frrbot styling issues before merging?

Done

[odd22]

ci:rerun

[odd22]

ci:run

[aceelindem]

Got the error this time. The problem comes from a wrong TLV size verification for TE database which output the ospf_te_parse_pref() and ospf_te_parse_link() with error. Unfortunately, within ospf opaque processing, if a registered function terminate with error, others registered functions in the queue are not call (see lines 1043 - 1045 in ospf_opaque.c). Thus, Opaque LSA for Segment Routing are not processed and thus, tests failed as MPLS table is not fulfill.

Hope the tests pass this time.

So, this was an intermittant failure? The changes in the 3 recent commits all add more checking - which change fixed the failing topotests? I can't find any checking that was corrected (only added validation). What am I missing?

[aceelindem]

Got the error this time. The problem comes from a wrong TLV size verification for TE database which output the ospf_te_parse_pref() and ospf_te_parse_link() with error. Unfortunately, within ospf opaque processing, if a registered function terminate with error, others registered functions in the queue are not call (see lines 1043 - 1045 in ospf_opaque.c). Thus, Opaque LSA for Segment Routing are not processed and thus, tests failed as MPLS table is not fulfill.
Hope the tests pass this time.

So, this was an intermittant failure? The changes in the 3 recent commits all add more checking - which change fixed the failing topotests? I can't find any checking that was corrected (only added validation). What am I missing?

Was this causing the topotest failures?

if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
ote_debug(" |- Found no TE Link local address/ID. Abort!");
return -1;
}

[odd22]

So, this was an intermittant failure? The changes in the 3 recent commits all add more checking - which change fixed the failing topotests? I can't find any checking that was corrected (only added validation). What am I missing?

The previous versions of my PR were wrong and cause systematic crashed. It is not intermittent.

[odd22]

So, this was an intermittant failure? The changes in the 3 recent commits all add more checking - which change fixed the failing topotests? I can't find any checking that was corrected (only added validation). What am I missing?

Was this causing the topotest failures?

if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
ote_debug(" |- Found no TE Link local address/ID. Abort!");
return -1;
}

Let me try to explain how Opaque LSA is handle. Within ospfd/ospf_opaque.c there is a mechanism to register specific functions for a given type of Opaque LSA. The current ospfd code handle 4 different Opaque LSA: TE, Router Information, Extended Prefix and Extended Link. All of them have a different LSA-ID starting respectively by 1.x.x.x, 4.x.x.x, 7.x.x.x and 8.x.x.x. For each of them, specifics functions are registered in ospf_opaque handler. Look at the beginning of ospf_te.c, ospf_ri.c and ospf_ext.c.

Now, within ospf opaque processing, if a registered function terminated with error, others registered functions in the queue are not call (see lines 1043 - 1045 in ospf_opaque.c). Regarding the current code and how configuration file is parsed, TE and RI functions are registered before Extended ones. Thus, if a TE or RI function failed during opaque handler, the Extended registered functions are not called which cause tests failure, in particular tests which uses Segment Routing.

Thus, if we would change how opaque registered functions are handled in case of error, we need to discuss pro/cons of the current system and produce another PR.

Hope these explanation are clear.

[aceelindem]

So, this was an intermittant failure? The changes in the 3 recent commits all add more checking - which change fixed the failing topotests? I can't find any checking that was corrected (only added validation). What am I missing?

Was this causing the topotest failures?

if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) { ote_debug(" |- Found no TE Link local address/ID. Abort!"); return -1; }

Let me try to explain how Opaque LSA is handle. Within ospfd/ospf_opaque.c there is a mechanism to register specific functions for a given type of Opaque LSA. The current ospfd code handle 4 different Opaque LSA: TE, Router Information, Extended Prefix and Extended Link. All of them have a different LSA-ID starting respectively by 1.x.x.x, 4.x.x.x, 7.x.x.x and 8.x.x.x. For each of them, specifics functions are registered in ospf_opaque handler. Look at the beginning of ospf_te.c, ospf_ri.c and ospf_ext.c.

Now, within ospf opaque processing, if a registered function terminated with error, others registered functions in the queue are not call (see lines 1043 - 1045 in ospf_opaque.c). Regarding the current code and how configuration file is parsed, TE and RI functions are registered before Extended ones. Thus, if a TE or RI function failed during opaque handler, the Extended registered functions are not called which cause tests failure, in particular tests which uses Segment Routing.

Thus, if we would change how opaque registered functions are handled in case of error, we need to discuss pro/cons of the current system and produce another PR.

Hope these explanation are clear.

Yes - I understand and I agree the OSPF opaque infra-structure shouldn't be so fragile.

[Jafaral]

@Mergifyio backport stable/8.4 stable/8.5 stable/9.0 stable/9.1 stable/10.0

[mergify]

backport stable/8.4 stable/8.5 stable/9.0 stable/9.1 stable/10.0

✅ Backports have been created

• #16088 ospfd: Solved crash in RI parsing with OSPF TE (backport #15674) has been created for branch stable/8.4
• #16087 ospfd: Solved crash in RI parsing with OSPF TE (backport #15674) has been created for branch stable/8.5
• #16086 ospfd: Solved crash in RI parsing with OSPF TE (backport #15674) has been created for branch stable/9.0
• #16085 ospfd: Solved crash in RI parsing with OSPF TE (backport #15674) has been created for branch stable/9.1
• #16084 ospfd: Solved crash in RI parsing with OSPF TE (backport #15674) has been created for branch stable/10.0