File bug-718058_quagga-master-514839.patch of Package quagga.import5276

commit 814a21b1a5af7b942e67ddf49e4b3eb3fd9353a6
Author: Denis Ovsienko <infrastation@yandex.ru>
Date:   Thu Sep 1 18:48:42 2011 +0400

    ospf6d: CERT-FI #514839 (DD LSA assertion)
    
    This vulnerability was reported by CROSS project.
    
    When Database Description LSA header list contains trailing zero octets,
    ospf6d tries to process this data as an LSA header. This triggers an
    assertion in the code and ospf6d shuts down.
    
    * ospf6_lsa.c
      * ospf6_lsa_is_changed(): handle header-only argument(s)
        appropriately, do not treat LSA length underrun as a fatal error.

diff --git a/ospf6d/ospf6_lsa.c b/ospf6d/ospf6_lsa.c
index c1db374..a9545c3 100644
--- a/ospf6d/ospf6_lsa.c
+++ b/ospf6d/ospf6_lsa.c
@@ -163,9 +163,19 @@ ospf6_lsa_is_changed (struct ospf6_lsa *lsa1,
     return 1;
   if (ntohs (lsa1->header->length) != ntohs (lsa2->header->length))
     return 1;
+  /* Going beyond LSA headers to compare the payload only makes sense, when both LSAs aren't header-only. */
+  if (CHECK_FLAG (lsa1->flag, OSPF6_LSA_HEADERONLY) != CHECK_FLAG (lsa2->flag, OSPF6_LSA_HEADERONLY))
+  {
+    zlog_warn ("%s: only one of two (%s, %s) LSAs compared is header-only", __func__, lsa1->name, lsa2->name);
+    return 1;
+  }
+  if (CHECK_FLAG (lsa1->flag, OSPF6_LSA_HEADERONLY))
+    return 0;
 
   length = OSPF6_LSA_SIZE (lsa1->header) - sizeof (struct ospf6_lsa_header);
-  assert (length > 0);
+  /* Once upper layer verifies LSAs received, length underrun should become a warning. */
+  if (length <= 0)
+    return 0;
 
   return memcmp (OSPF6_LSA_HEADER_END (lsa1->header),
                  OSPF6_LSA_HEADER_END (lsa2->header), length);