59 lines
2.6 KiB
Diff
59 lines
2.6 KiB
Diff
From cc2e6770697e343f4af534114ab7e633d5beabec Mon Sep 17 00:00:00 2001
|
|
From: Paul Jakma <paul@jakma.org>
|
|
Date: Wed, 3 Jan 2018 23:57:33 +0000
|
|
Subject: bgpd/security: invalid attr length sends NOTIFY with data overrun
|
|
|
|
Security issue: Quagga-2018-0543
|
|
|
|
See: https://www.quagga.net/security/Quagga-2018-0543.txt
|
|
|
|
* bgpd/bgp_attr.c: (bgp_attr_parse) An invalid attribute length is correctly
|
|
checked, and a NOTIFY prepared. The NOTIFY can include the incorrect
|
|
received data with the NOTIFY, for debug purposes. Commit
|
|
c69698704806a9ac5 modified the code to do that just, and also send the
|
|
malformed attr with the NOTIFY. However, the invalid attribute length was
|
|
used as the length of the data to send back.
|
|
|
|
The result is a read past the end of data, which is then written to the
|
|
NOTIFY message and sent to the peer.
|
|
|
|
A configured BGP peer can use this bug to read up to 64 KiB of memory from
|
|
the bgpd process, or crash the process if the invalid read is caught by
|
|
some means (unmapped page and SEGV, or other mechanism) resulting in a DoS.
|
|
|
|
This bug _ought_ /not/ be exploitable by anything other than the connected
|
|
BGP peer, assuming the underlying TCP transport is secure. For no BGP
|
|
peer should send on an UPDATE with this attribute. Quagga will not, as
|
|
Quagga always validates the attr header length, regardless of type.
|
|
|
|
However, it is possible that there are BGP implementations that do not
|
|
check lengths on some attributes (e.g. optional/transitive ones of a type
|
|
they do not recognise), and might pass such malformed attrs on. If such
|
|
implementations exists and are common, then this bug might be triggerable
|
|
by BGP speakers further hops away. Those peers will not receive the
|
|
NOTIFY (unless they sit on a shared medium), however they might then be
|
|
able to trigger a DoS.
|
|
|
|
Fix: use the valid bound to calculate the length.
|
|
|
|
--- a/bgpd/bgp_attr.c
|
|
+++ b/bgpd/bgp_attr.c
|
|
@@ -2079,6 +2079,8 @@ bgp_attr_parse (struct peer *peer, struc
|
|
memset (seen, 0, BGP_ATTR_BITMAP_SIZE);
|
|
|
|
/* End pointer of BGP attribute. */
|
|
+ assert (size <= stream_get_size (BGP_INPUT (peer)));
|
|
+ assert (size <= stream_get_endp (BGP_INPUT (peer)));
|
|
endp = BGP_INPUT_PNT (peer) + size;
|
|
|
|
/* Get attributes to the end of attribute length. */
|
|
@@ -2160,7 +2162,7 @@ bgp_attr_parse (struct peer *peer, struc
|
|
bgp_notify_send_with_data (peer,
|
|
BGP_NOTIFY_UPDATE_ERR,
|
|
BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
|
|
- startp, attr_endp - startp);
|
|
+ startp, endp - startp);
|
|
return BGP_ATTR_PARSE_ERROR;
|
|
}
|
|
|