FRRouting NULL Pointer Dereference Vulnerability in OSPF Component Allowing Denial-of-Service

A NULL pointer dereference vulnerability has been identified in FRRouting (FRR) versions 4.0 through 10.4.1. The issue arises in the OSPF component, specifically within the 'show_vty_ext_link_lan_adj_sid' function in 'ospf_ext.c'. This vulnerability can be exploited by sending a crafted OSPF packet, leading to a crash of the OSPF daemon ('ospfd') and causing a denial-of-service condition. The vulnerability is triggered when the 'debug ospf packet all send/recv detail' command is enabled, allowing the OSPF process to process and display detailed information about OSPF packets. Under these conditions, the absence of proper validation for certain OSPF packet details can result in dereferencing a NULL pointer, causing the OSPF process to crash.

Impact

Exploitation of this vulnerability causes the OSPF daemon to crash, disrupting OSPF routing processes and potentially leading to broader network connectivity issues.

Reproduction

To reproduce this vulnerability, set up a network topology with two routers using Mininet. Configure both routers to enable OSPF and the 'debug ospf packet all send/recv detail' option. Once this is done, send an OSPF packet containing an opaque LSA from the second router to the first. The first router's OSPF process will crash upon receiving the packet, demonstrating the vulnerability.

Remediation

Users can upgrade to FRRouting version 10.4.1 or later, where this vulnerability has been addressed.