FRRouting NULL Pointer Dereference Vulnerability in OSPF Component Leading to Denial-of-Service

A NULL pointer dereference vulnerability has been identified in FRRouting (FRR) versions 4.0 through 10.4.1. The issue arises in the OSPF component, specifically within the 'show_vty_ext_link_rmt_itf_addr' function in 'ospf_ext.c'. When the OSPF daemon ('ospfd') is configured to debug packet details, it can be tricked into accessing a NULL pointer by a crafted OSPF packet. This oversight causes 'ospfd' to crash, creating a Denial-of-Service condition.

Impact

Exploitation of this vulnerability leads to a crash of the OSPF daemon, disrupting OSPF routing processes and causing a Denial-of-Service condition on the affected router.

Reproduction

To reproduce this vulnerability, set up a network topology with two routers using Mininet. Configure both routers to enable OSPF and the 'debug ospf packet all send/recv detail' command. Once this debugging is active, send an OSPF packet containing an opaque LSA from the second router to the first. The OSPF process on the first router will crash upon receiving the packet, demonstrating the vulnerability.

Remediation

Users can upgrade to FRRouting version 10.4.1 or later, where this vulnerability has been addressed.