Skip to content

Commit

Permalink
(for 4.9.3) CVE-2018-16230/BGP: fix decoding of MP_REACH_NLRI
Browse files Browse the repository at this point in the history 
When bgp_attr_print() tried to decode the variable-length nexthop value
for the NSAP VPN case, it did not check that the declared length is good
to interpret the value as a mapped IPv4 or IPv6 address. Add missing
checks to make this safe.

This fixes a buffer over-read discovered by Include Security working
under the Mozilla SOS program in 2018 by means of code audit.

Bhargava Shastry, SecT/TU Berlin, had independently identified this
vulnerability by means of fuzzing and provided the packet capture file
for the test.
  • Loading branch information
@infrastation @fxlb
infrastation authored and fxlb committed Aug 27, 2019
1 parent 9a6eb27 commit 13d52e9
Show file tree
Hide file tree
Showing 4 changed files with 282 additions and 2 deletions.
6 changes: 4 additions & 2 deletions print-bgp.c
View file
Expand Up @@ -1700,10 +1700,12 @@ bgp_attr_print(netdissect_options *ndo,
bgp_vpn_rd_print(ndo, tptr),
isonsap_string(ndo, tptr+BGP_VPN_RD_LEN,tlen-BGP_VPN_RD_LEN)));
/* rfc986 mapped IPv4 address ? */
if (EXTRACT_32BITS(tptr+BGP_VPN_RD_LEN) == 0x47000601)
if (tlen == BGP_VPN_RD_LEN + 4 + sizeof(struct in_addr)
&& EXTRACT_32BITS(tptr+BGP_VPN_RD_LEN) == 0x47000601)
ND_PRINT((ndo, " = %s", ipaddr_string(ndo, tptr+BGP_VPN_RD_LEN+4)));
/* rfc1888 mapped IPv6 address ? */
else if (EXTRACT_24BITS(tptr+BGP_VPN_RD_LEN) == 0x350000)
else if (tlen == BGP_VPN_RD_LEN + 3 + sizeof(struct in6_addr)
&& EXTRACT_24BITS(tptr+BGP_VPN_RD_LEN) == 0x350000)
ND_PRINT((ndo, " = %s", ip6addr_string(ndo, tptr+BGP_VPN_RD_LEN+3)));
tptr += tlen;
tlen = 0;
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
View file
Expand Up @@ -584,6 +584,7 @@ isakmp-various-oobr isakmp-various-oobr.pcap isakmp-various-oobr.out -v
aoe-oobr-1 aoe-oobr-1.pcap aoe-oobr-1.out -v -c1
frf16_magic_ie-oobr frf16_magic_ie-oobr.pcap frf16_magic_ie-oobr.out -v -c1
rx_serviceid_oobr rx_serviceid_oobr.pcap rx_serviceid_oobr.out -c3
bgp_mp_reach_nlri-oobr bgp_mp_reach_nlri-oobr.pcap bgp_mp_reach_nlri-oobr.out -v -c1

# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
Expand Down
277 changes: 277 additions & 0 deletions tests/bgp_mp_reach_nlri-oobr.out
View file
@@ -0,0 +1,277 @@
IP (tos 0xff,CE, ttl 254, id 32783, offset 0, flags [rsvd], proto TCP (6), length 65535, bad cksum 8e15 (->5bbf)!)
241.0.128.39.179 > 239.0.0.1.0: Flags [none], seq 4144029695:4144095150, win 65535, options [eol], length 65455: BGP [|BGP]
Update Message (2), length: 45
Withdrawn routes: 3 bytes
Attribute Set (128), length: 32768, Flags [OTPE+f]: [|BGP] [|BGP]
Update Message (2), length: 45
Withdrawn routes: 3 bytes
Attribute Set (128), length: 7, Flags [OTPE+f]:
Origin AS: 0
Multi-Protocol Reach NLRI (14), length: 227, Flags [T+6]:
AFI: NSAP (3), SAFI: labeled VPN Unicast (128)
nexthop: invalid len, nh-length: 1, no SNPA
RD: unknown RD format, 00.0000.0000.0d00.0000.0000.00/91, label:15 (bottom)
(illegal prefix length)
Multi-Protocol Reach NLRI (14), length: 227, Flags [T+6]:
AFI: NSAP (3), SAFI: labeled VPN Unicast (128)
nexthop: RD: unknown RD format, 05.0000.0000.0000.0000.000d.0000, nh-length: 21, no SNPA
(illegal prefix length)
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (80), length: 0
no Attribute 80 decoder
Unknown Attribute (157), length: 161, Flags [P+d]:
no Attribute 157 decoder
0x0000: 0280 fdff ffff ffff ffff ffff ffff ffff
0x0010: ffff ff00 2d02 0003 f1ff 7bc3 b2ff 8000
0x0020: 0700 0000 df00 c123 0000 0000 00a1 0200
0x0030: 9eff ffff ffff ffff ffff ffff ffff ff94
0x0040: 9494 2d02 0003 f1ff 7bc3 b2ff 8000 0700
0x0050: 0000 0046 0ee3 0003 8015 00b3 0000 f700
0x0060: dfee 0500 0000 0000 0000 0000 0000 0000
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000
0x0080: 0000 de00 0000 0000 0000 0000 0000 0001
0x0090: 0000 0000 0000 0000 0000 0000 0000 0000
0x00a0: 00
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 140
no Attribute 0 decoder
0x0000: 0000 0000 0000 0080 27ef 0000 0100 c600
0x0010: 007f f3f9 8900 0107 07d4 2d9d a102 80fd
0x0020: ecff ff04 00ff 4000 0000 ffff ffff ffff
0x0030: 002d 0200 03f1 ff7b c3b2 ff80 0007 434c
0x0040: 4945 4e54 0000 00df 00c1 2300 0000 0000
0x0050: ff00 0000 ff00 0000 04ff ffff ffff ffff
0x0060: ffff ffff 002d 0200 03f1 ff7b c3b2 ff80
0x0070: 0007 0000 0000 460e e300 0380 1500 b300
0x0080: 00f7 00df ee35 0000 0500 0000
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder[|BGP] [|BGP]
Update Message (2), length: 45
Withdrawn routes: 3 bytes
Attribute Set (128), length: 7, Flags [OTPE+f]:
Origin AS: 223
Unknown Attribute (193), length: 35
no Attribute 193 decoder
0x0000: 0000 0000 00a1 0200 9eff ffff ffff fffc
0x0010: ffff ffff ffff ffff ff00 2d02 0003 f1ff
0x0020: 7bc3 b2
Attribute Set (128), length: 7, Flags [OTPE+f]:
Origin AS: 0
Multi-Protocol Reach NLRI (14), length: 227, Flags [T+6]:
AFI: NSAP (3), SAFI: labeled VPN Unicast (128)
nexthop: RD: unknown RD format, 05.0000.0000.0000.0000.000d.0000, nh-length: 21, no SNPA
(illegal prefix length)
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (80), length: 0
no Attribute 80 decoder
Unknown Attribute (157), length: 161, Flags [P+d]:
no Attribute 157 decoder
0x0000: 0280 fdff ffff ffff ffff ffff ffff ffff
0x0010: ffff ff00 2d02 0003 f1ff 7bc3 b2ff 8000
0x0020: 0700 0000 df00 c123 0000 0000 00a1 0200
0x0030: 9eff ffff ffff ffff ffff ffff ffff ff94
0x0040: 9494 2d02 0003 f1ff 7bc3 b2ff 8000 0700
0x0050: 0000 0046 0ee3 0003 8015 00b3 0000 f700
0x0060: dfee 0500 0000 0000 0000 0000 0000 0000
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000
0x0080: 0000 de00 0000 0000 0000 0000 0000 0001
0x0090: 0000 0000 0000 0000 0000 0000 0000 0000
0x00a0: 00
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 140
no Attribute 0 decoder
0x0000: 0000 0000 0000 0080 27ef 0000 0100 c600
0x0010: 007f f3f9 8900 0107 07d4 2d9d a102 80fd
0x0020: ecff ff04 00ff 4000 0000 ffff ffff ffff
0x0030: 002d 0200 03f1 ff7b c3b2 ff80 0007 434c
0x0040: 4945 4e54 0000 00df 00c1 2300 0000 0000
0x0050: ff00 0000 ff00 0000 04ff ffff ffff ffff
0x0060: ffff ffff 002d 0200 03f1 ff7b c3b2 ff80
0x0070: 0007 0000 0000 460e e300 0380 1500 b300
0x0080: 00f7 00df ee35 0000 0500 0000
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder[|BGP] [|BGP]
Update Message (2), length: 45
Withdrawn routes: 3 bytes
Attribute Set (128), length: 7, Flags [OTPE+f]:
Origin AS: 223
Unknown Attribute (193), length: 35
no Attribute 193 decoder
0x0000: 0000 0000 00a1 0200 0aff ffff ffff ffff
0x0010: ffff ffff ffff ffff ff00 2d02 0003 f1ff
0x0020: 7bc3 b2
Unknown Attribute (241), length: 255, Flags [+3]:
no Attribute 241 decoder
0x0000: 7bc3 b2ff 8000 0700 0000 0046 0ee3 0003
0x0010: 8001 00b3 0000 f700 dfee 0500 0000 0000
0x0020: 0000 0000 0d00 0000 0000 0000 0000 0000
0x0030: 0000 0000 0000 00ff 8000 0700 0000 0046
0x0040: 0ee3 0003 8015 00cd 0000 f700 dfee 0500
0x0050: 0000 0000 0000 0000 1b00 0000 fff5 0000
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000
0x0070: 0000 0000 0000 0000 5000 2d9d a102 80fd
0x0080: ffff ffff ffff ffff ffff ffff ffff ffff
0x0090: 002d 0200 03f1 ff7b c3b2 ff80 0007 0000
0x00a0: 00df 00c1 2300 0000 0000 a102 009e ffff
0x00b0: ffff ffff ffff ffff ffff ffff 9494 942d
0x00c0: 0200 03f1 ff7b c3b2 ff80 0007 0000 0000
0x00d0: 460e e300 0380 1500 b300 00f7 00df ee05
0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000
0x00f0: 0000 0000 0000 0000 0000 0000 0000 00
Unknown Attribute (0), length: 0, Flags [OTE+e]:
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0, Flags [+1]:
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 140
no Attribute 0 decoder
0x0000: 0000 0000 0000 0080 27ef 0000 0100 c600
0x0010: 007f f3f9 8900 0107 07d4 2d9d a102 80fd
0x0020: ecff ff04 00ff 4000 0000 ffff ffff ffff
0x0030: 002d 0200 03f1 ff7b c3b2 ff80 0007 434c
0x0040: 4945 4e54 0000 00df 00c1 2300 0000 0000
0x0050: ff00 0000 ff00 0000 04ff ffff ffff ffff
0x0060: ffff ffff 002d 0200 03f1 ff7b c3b2 ff80
0x0070: 0007 0000 0000 460e e300 0380 1500 b300
0x0080: 00f7 00df ee35 0000 0500 0000
Unknown Attribute (0), length: 0
no Attribute 0 decoder
Unknown Attribute (0), length: 0
no Attribute 0 decoder[|BGP] [|BGP]
Update Message (2), length: 45
Withdrawn routes: 3 bytes
Unknown Attribute (241), length: 255, Flags [+3]: [|BGP] [|BGP]
Update Message (2), length: 45
Withdrawn routes: 3 bytes
Attribute Set (128), length: 7, Flags [OTPE+f]:
Origin AS: 223
Unknown Attribute (193), length: 35
no Attribute 193 decoder
0x0000: 0000 0000 00a1 0200 9eff ffff ffff ffff
0x0010: ffff ffff ffff ff94 9494 2d02 0003 f1ff
0x0020: 7bc3 b2
Attribute Set (128), length: 7, Flags [OTPE+f]:
Origin AS: 0
Multi-Protocol Reach NLRI (14), length: 227, Flags [T+6]:
AFI: NSAP (3), SAFI: labeled VPN Unicast (128)
nexthop: RD: unknown RD format, 05.0000.0000.0000.0000.0000.0000, nh-length: 21, no SNPA
(illegal prefix length)
Attribute Set (128), length: 7, Flags [OTPE+f]:
Origin AS: 0
Multi-Protocol Reach NLRI (14), length: 227, Flags [T+6]:
AFI: NSAP (3), SAFI: labeled VPN Unicast (128)
nexthop: RD: unknown RD format, 35.0000.0500.0000.0000.0000.0000, nh-length: 21, no SNPA
(illegal prefix length)[|BGP]
Binary file added tests/bgp_mp_reach_nlri-oobr.pcap
View file
Binary file not shown.

0 comments on commit 13d52e9

Please sign in to comment.