-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bgpd: Missing length check in bgp_attr_psid_sub about BGP_PREFIX_SID_SRV6_L3_SERVICE #13099
Comments
I pushed a PR for this back in December but it's been stalled due to me being busy with some other stuff I'll get back to it today and get this in |
CVE-2023-31490 was assigned to this issue. |
Hi Melissa, Could you please share with us on how to construct a message that can reproduce this crash? I tried to use scappy but I'm not sure how to construct such a message. Thank you! |
can you share the PoC and the bgp configuration? thanks! |
An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function. References: https://nvd.nist.gov/vuln/detail/CVE-2023-31490 FRRouting/frr#13099 Signed-off-by: Narpat Mali <narpat.mali@windriver.com> [Fixup so patch would apply] Signed-off-by: Armin Kuster <akuster808@gmail.com>
Source: meta-openembedded MR: 127624 Type: Integration Disposition: Merged from meta-openembedded ChangeID: 8ab74be Description: An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function. References: https://nvd.nist.gov/vuln/detail/CVE-2023-31490 FRRouting/frr#13099 Signed-off-by: Narpat Mali <narpat.mali@windriver.com> [Fixup so patch would apply] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Describe the bug
Hello, I have find a bug in bgp_attr_psid_sub, there is a missing check of the type = BGP_PREFIX_SID_SRV6_L3_SERVICE when using stream_getc to get reseverd field.
To Reproduce
When I construct a psid_sub TLV, Type = 5 and Length = 0, Frrouting will crash.
Expected behavior
Screenshots
Versions
Additional context
The text was updated successfully, but these errors were encountered: