Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Describe the bug
Hello, I have find a bug in bgp_capability_llgr that it length check is wrong. In the draft document it has 7 bytes as shown in the following figure.
The capability value consists of zero or more tuples <AFI, SAFI, Flags, Long-lived Stale Time> as follows:
+--------------------------------------------------+ | Address Family Identifier (16 bits) | +--------------------------------------------------+ | Subsequent Address Family Identifier (8 bits) | +--------------------------------------------------+ | Flags for Address Family (8 bits) | +--------------------------------------------------+ | Long-lived Stale Time (24 bits) | +--------------------------------------------------+
While, in the code it only check 4 bytes.
while (stream_get_getp(s) + 4 <= end) { afi_t afi; safi_t safi; iana_afi_t pkt_afi = stream_getw(s); iana_safi_t pkt_safi = stream_getc(s); uint8_t flags = stream_getc(s); uint32_t stale_time = stream_get3(s); }
To Reproduce If I construct a packet only has 6 bytes of the llgr, the frrrouting will crash.
BGP: in thread bgp_process_packet scheduled from bgpd/bgp_io.c:269 bgp_process_reads() core_handler: showing active allocations in memory group libfrr core_handler: memstats: Buffer : 2 * 24 core_handler: memstats: Host config : 8 * (variably sized) core_handler: memstats: Command Tokens : 12082 * 72 core_handler: memstats: Command Token Text : 8746 * (variably sized) core_handler: memstats: Command Token Help : 8746 * (variably sized) core_handler: memstats: Command Argument Name : 2052 * (variably sized) core_handler: memstats: RCU thread : 2 * 128 core_handler: memstats: FRR POSIX Thread : 4 * (variably sized) core_handler: memstats: POSIX sync primitives : 4 * (variably sized) core_handler: memstats: Graph : 40 * 8 core_handler: memstats: Graph Node : 14266 * 32 core_handler: memstats: Hash : 573 * (variably sized) core_handler: memstats: Hash Bucket : 2340 * 32 core_handler: memstats: Hash Index : 287 * (variably sized) core_handler: memstats: Link List : 36 * 40 core_handler: memstats: Link Node : 334 * 24 core_handler: memstats: Temporary memory : 15 * (variably sized) core_handler: memstats: Bitfield memory : 2 * (variably sized) core_handler: memstats: Northbound Node : 240 * 1192 core_handler: memstats: Northbound Configuration : 2 * 16 core_handler: memstats: Privilege information : 3 * (variably sized) core_handler: memstats: Ring buffer : 6 * (variably sized) core_handler: memstats: Skip List : 2 * 56 core_handler: memstats: Skip Node : 2 * 160 core_handler: memstats: Skiplist Counters : 2 * 68 core_handler: memstats: Socket union : 2 * 112 core_handler: memstats: Stream : 12 * (variably sized) core_handler: memstats: Stream FIFO : 6 * 64 core_handler: memstats: Route table : 100 * 56 core_handler: memstats: Thread : 15 * 160 core_handler: memstats: Thread master : 12 * (variably sized) core_handler: memstats: Thread Poll Info : 6 * 8388608 core_handler: memstats: Thread stats : 18 * 96 core_handler: memstats: Typed-hash bucket : 5 * (variably sized) core_handler: memstats: Typed-heap array : 1 * 576 core_handler: memstats: Vector : 28613 * 24 core_handler: memstats: Vector index : 28613 * (variably sized) core_handler: memstats: VRF : 1 * 216 core_handler: memstats: VTY server : 3 * 32 core_handler: memstats: Work queue : 3 * 152 core_handler: memstats: Work queue name string : 3 * (variably sized) core_handler: memstats: YANG module : 5 * 48 core_handler: memstats: Zclient : 2 * 3144 core_handler: memstats: Redistribution instance IDs : 6 * 2 core_handler: memstats: log thread-local buffer : 2 * 24608 core_handler: showing active allocations in memory group logging subsystem core_handler: memstats: log file target : 2 * 88 core_handler: memstats: log file name : 1 * 14 core_handler: showing active allocations in memory group bgpd core_handler: memstats: BGP instance : 2 * (variably sized) core_handler: memstats: BGP listen socket details : 2 * 144 core_handler: memstats: BGP peer : 3 * 740824 core_handler: memstats: BGP peer hostname : 4 * (variably sized) core_handler: memstats: BGP peer af : 2 * 80 core_handler: memstats: BGP attribute : 1 * 312 core_handler: memstats: BGP aspath : 1 * 40 core_handler: memstats: BGP aspath str : 1 * 1 core_handler: memstats: BGP table : 87 * 56 core_handler: memstats: BGP node : 2 * 192 core_handler: memstats: BGP route : 1 * 112 core_handler: memstats: BGP static : 1 * 144 core_handler: memstats: BGP synchronise : 63 * 72 core_handler: memstats: community-list handler : 1 * 120 core_handler: memstats: BGP nexthop : 1 * 184 core_handler: memstats: BGP EVPN MH Information : 1 * 56 core_handler: memstats: BGP PBR Context : 1 * 32 core_handler: memstats: BGP EVPN instance information : 1 * 56 core_handler: showing active allocations in memory group rfapi core_handler: memstats: NVE Configuration : 1 * 2984 core_handler: memstats: RFAPI Generic : 1 * 296 core_handler: memstats: RFAPI Import Table : 1 * 208 Aborted (core dumped)
Expected behavior
Screenshots
Versions
Additional context
The text was updated successfully, but these errors were encountered:
Can you share the script to test it?
Sorry, something went wrong.
Sure, blow is my poc. poc-llgr.zip
Thanks, fixed.
CVE-2023-31489 was assigned to this issue.
@ton31337 could you reference a commit or PR, please?
b1d33ec
ton31337
No branches or pull requests
Describe the bug
Hello, I have find a bug in bgp_capability_llgr that it length check is wrong. In the draft document it has 7 bytes as shown in the following figure.
The capability value consists of zero or more tuples <AFI, SAFI,
Flags, Long-lived Stale Time> as follows:
While, in the code it only check 4 bytes.
To Reproduce
If I construct a packet only has 6 bytes of the llgr, the frrrouting will crash.
BGP: in thread bgp_process_packet scheduled from bgpd/bgp_io.c:269 bgp_process_reads()
core_handler: showing active allocations in memory group libfrr
core_handler: memstats: Buffer : 2 * 24
core_handler: memstats: Host config : 8 * (variably sized)
core_handler: memstats: Command Tokens : 12082 * 72
core_handler: memstats: Command Token Text : 8746 * (variably sized)
core_handler: memstats: Command Token Help : 8746 * (variably sized)
core_handler: memstats: Command Argument Name : 2052 * (variably sized)
core_handler: memstats: RCU thread : 2 * 128
core_handler: memstats: FRR POSIX Thread : 4 * (variably sized)
core_handler: memstats: POSIX sync primitives : 4 * (variably sized)
core_handler: memstats: Graph : 40 * 8
core_handler: memstats: Graph Node : 14266 * 32
core_handler: memstats: Hash : 573 * (variably sized)
core_handler: memstats: Hash Bucket : 2340 * 32
core_handler: memstats: Hash Index : 287 * (variably sized)
core_handler: memstats: Link List : 36 * 40
core_handler: memstats: Link Node : 334 * 24
core_handler: memstats: Temporary memory : 15 * (variably sized)
core_handler: memstats: Bitfield memory : 2 * (variably sized)
core_handler: memstats: Northbound Node : 240 * 1192
core_handler: memstats: Northbound Configuration : 2 * 16
core_handler: memstats: Privilege information : 3 * (variably sized)
core_handler: memstats: Ring buffer : 6 * (variably sized)
core_handler: memstats: Skip List : 2 * 56
core_handler: memstats: Skip Node : 2 * 160
core_handler: memstats: Skiplist Counters : 2 * 68
core_handler: memstats: Socket union : 2 * 112
core_handler: memstats: Stream : 12 * (variably sized)
core_handler: memstats: Stream FIFO : 6 * 64
core_handler: memstats: Route table : 100 * 56
core_handler: memstats: Thread : 15 * 160
core_handler: memstats: Thread master : 12 * (variably sized)
core_handler: memstats: Thread Poll Info : 6 * 8388608
core_handler: memstats: Thread stats : 18 * 96
core_handler: memstats: Typed-hash bucket : 5 * (variably sized)
core_handler: memstats: Typed-heap array : 1 * 576
core_handler: memstats: Vector : 28613 * 24
core_handler: memstats: Vector index : 28613 * (variably sized)
core_handler: memstats: VRF : 1 * 216
core_handler: memstats: VTY server : 3 * 32
core_handler: memstats: Work queue : 3 * 152
core_handler: memstats: Work queue name string : 3 * (variably sized)
core_handler: memstats: YANG module : 5 * 48
core_handler: memstats: Zclient : 2 * 3144
core_handler: memstats: Redistribution instance IDs : 6 * 2
core_handler: memstats: log thread-local buffer : 2 * 24608
core_handler: showing active allocations in memory group logging subsystem
core_handler: memstats: log file target : 2 * 88
core_handler: memstats: log file name : 1 * 14
core_handler: showing active allocations in memory group bgpd
core_handler: memstats: BGP instance : 2 * (variably sized)
core_handler: memstats: BGP listen socket details : 2 * 144
core_handler: memstats: BGP peer : 3 * 740824
core_handler: memstats: BGP peer hostname : 4 * (variably sized)
core_handler: memstats: BGP peer af : 2 * 80
core_handler: memstats: BGP attribute : 1 * 312
core_handler: memstats: BGP aspath : 1 * 40
core_handler: memstats: BGP aspath str : 1 * 1
core_handler: memstats: BGP table : 87 * 56
core_handler: memstats: BGP node : 2 * 192
core_handler: memstats: BGP route : 1 * 112
core_handler: memstats: BGP static : 1 * 144
core_handler: memstats: BGP synchronise : 63 * 72
core_handler: memstats: community-list handler : 1 * 120
core_handler: memstats: BGP nexthop : 1 * 184
core_handler: memstats: BGP EVPN MH Information : 1 * 56
core_handler: memstats: BGP PBR Context : 1 * 32
core_handler: memstats: BGP EVPN instance information : 1 * 56
core_handler: showing active allocations in memory group rfapi
core_handler: memstats: NVE Configuration : 1 * 2984
core_handler: memstats: RFAPI Generic : 1 * 296
core_handler: memstats: RFAPI Import Table : 1 * 208
Aborted (core dumped)
Expected behavior
Screenshots
Versions
Additional context
The text was updated successfully, but these errors were encountered: