Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bgpd: Missing length check in bgp_attr_psid_sub about BGP_PREFIX_SID_SRV6_L3_SERVICE #13099

Closed
2 tasks
melissa-cjt opened this issue Mar 24, 2023 · 2 comments · Fixed by #12454
Closed
2 tasks
Labels

Comments

@melissa-cjt
Copy link


Describe the bug

  • Did you check if this is a duplicate issue?
  • Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp_attr_psid_sub, there is a missing check of the type = BGP_PREFIX_SID_SRV6_L3_SERVICE when using stream_getc to get reseverd field.

/* Placeholder code for the SRv6 L3 Service type */
else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
	if (STREAM_READABLE(peer->curr) < length) {
		flog_err(
			EC_BGP_ATTR_LEN,
			"Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
			length, STREAM_READABLE(peer->curr));
		return bgp_attr_malformed(args,
			 BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
			 args->total);
	}

	/* ignore reserved */
	stream_getc(peer->curr);

To Reproduce

When I construct a psid_sub TLV, Type = 5 and Length = 0, Frrouting will crash.
Expected behavior

Screenshots

Versions

  • OS Version:
  • Kernel:
  • FRR Version:

Additional context

@melissa-cjt melissa-cjt added the triage Needs further investigation label Mar 24, 2023
@ton31337 ton31337 added bgp and removed triage Needs further investigation labels Mar 24, 2023
@donaldsharp
Copy link
Member

I pushed a PR for this back in December but it's been stalled due to me being busy with some other stuff
#12454

I'll get back to it today and get this in

@abergmann
Copy link

CVE-2023-31490 was assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants