Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bgpd: Missing length check in bgp_attr_psid_sub about BGP_PREFIX_SID_SRV6_L3_SERVICE #13099

Closed
2 tasks
melissa-cjt opened this issue Mar 24, 2023 · 4 comments · Fixed by #12454
Closed
2 tasks

bgpd: Missing length check in bgp_attr_psid_sub about BGP_PREFIX_SID_SRV6_L3_SERVICE #13099

melissa-cjt opened this issue Mar 24, 2023 · 4 comments · Fixed by #12454
Labels
bgp

Comments

@melissa-cjt
Copy link

Describe the bug

  • Did you check if this is a duplicate issue?
  • Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp_attr_psid_sub, there is a missing check of the type = BGP_PREFIX_SID_SRV6_L3_SERVICE when using stream_getc to get reseverd field.

/* Placeholder code for the SRv6 L3 Service type */
else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
	if (STREAM_READABLE(peer->curr) < length) {
		flog_err(
			EC_BGP_ATTR_LEN,
			"Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
			length, STREAM_READABLE(peer->curr));
		return bgp_attr_malformed(args,
			 BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
			 args->total);
	}

	/* ignore reserved */
	stream_getc(peer->curr);

To Reproduce

When I construct a psid_sub TLV, Type = 5 and Length = 0, Frrouting will crash.
Expected behavior

Screenshots

Versions

  • OS Version:
  • Kernel:
  • FRR Version:

Additional context
@melissa-cjt melissa-cjt added the triage Needs further investigation label Mar 24, 2023
@ton31337 ton31337 added bgp and removed triage Needs further investigation labels Mar 24, 2023
@donaldsharp
Copy link
Member

I pushed a PR for this back in December but it's been stalled due to me being busy with some other stuff
#12454

I'll get back to it today and get this in

@ton31337 ton31337 mentioned this issue Mar 27, 2023
Merged
@abergmann
Copy link

CVE-2023-31490 was assigned to this issue.

@zzxgzgz
Copy link

zzxgzgz commented May 24, 2023

Describe the bug

  • Did you check if this is a duplicate issue?
  • Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp_attr_psid_sub, there is a missing check of the type = BGP_PREFIX_SID_SRV6_L3_SERVICE when using stream_getc to get reseverd field.

/* Placeholder code for the SRv6 L3 Service type */
else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
	if (STREAM_READABLE(peer->curr) < length) {
		flog_err(
			EC_BGP_ATTR_LEN,
			"Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
			length, STREAM_READABLE(peer->curr));
		return bgp_attr_malformed(args,
			 BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
			 args->total);
	}

	/* ignore reserved */
	stream_getc(peer->curr);

To Reproduce

When I construct a psid_sub TLV, Type = 5 and Length = 0, Frrouting will crash. Expected behavior

Screenshots

Versions

  • OS Version:

  • Kernel:

  • FRR Version:

Additional context

Hi Melissa,

Could you please share with us on how to construct a message that can reproduce this crash?

I tried to use scappy but I'm not sure how to construct such a message.

Thank you!

@risicle risicle mentioned this issue May 29, 2023
Closed
2 tasks
@yusky2003
Copy link

can you share the PoC and the bgp configuration? thanks!

halstead pushed a commit to openembedded/meta-openembedded that referenced this issue Jul 31, 2023
@akuster
frr: fix for CVE-2023-31490
8ab74be 
An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to
cause a denial of service via the bgp_attr_psid_sub() function.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31490
FRRouting/frr#13099

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
[Fixup so patch would apply]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/meta-openembedded that referenced this issue Aug 9, 2023
@jpuhlman
frr: fix for CVE-2023-31490
88ad6f1 
Source: meta-openembedded
MR: 127624
Type: Integration
Disposition: Merged from meta-openembedded
ChangeID: 8ab74be
Description:

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to
cause a denial of service via the bgp_attr_psid_sub() function.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31490
FRRouting/frr#13099

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
[Fixup so patch would apply]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bgp
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bgpd: Ensure stream received has enough data donaldsharp/frr
6 participants
@ton31337 @abergmann @donaldsharp @melissa-cjt @zzxgzgz @yusky2003