FRRouting NULL Pointer Dereference Vulnerability in OSPF Component Allowing Denial-of-Service

A NULL pointer dereference vulnerability has been identified in the FRRouting (FRR) OSPF component, specifically in versions 4.0 prior to 10.4.1. The issue arises in the 'show_vty_pref_pref_sid' function within 'ospf_ext.c'. When the OSPF daemon ('ospfd') is configured to debug packet details, a crafted LSA Update packet can trigger the vulnerability, causing the 'ospfd' process to crash and leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes the OSPF daemon to crash, disrupting OSPF routing processes and potentially leading to broader network instability.

Reproduction

To reproduce this vulnerability, set up a network topology with two routers using Mininet. Configure both routers to enable OSPF and the 'debug ospf packet all send/recv detail' option. Once this debugging is active, send a packet containing an opaque LSA from one router to the other. The receiving router's OSPF process will crash upon processing the packet, demonstrating the vulnerability.

Remediation

Users can upgrade to FRRouting versions 10.4.2 or later, where this vulnerability has been fixed.