Skip to content

Commit 13d52e9

Browse files
infrastationfxlb
authored andcommitted
(for 4.9.3) CVE-2018-16230/BGP: fix decoding of MP_REACH_NLRI
When bgp_attr_print() tried to decode the variable-length nexthop value for the NSAP VPN case, it did not check that the declared length is good to interpret the value as a mapped IPv4 or IPv6 address. Add missing checks to make this safe. This fixes a buffer over-read discovered by Include Security working under the Mozilla SOS program in 2018 by means of code audit. Bhargava Shastry, SecT/TU Berlin, had independently identified this vulnerability by means of fuzzing and provided the packet capture file for the test.
1 parent 9a6eb27 commit 13d52e9

File tree

4 files changed

+282
-2
lines changed

4 files changed

+282
-2
lines changed

Diff for: print-bgp.c

+4-2
Original file line numberDiff line numberDiff line change
@@ -1700,10 +1700,12 @@ bgp_attr_print(netdissect_options *ndo,
17001700
bgp_vpn_rd_print(ndo, tptr),
17011701
isonsap_string(ndo, tptr+BGP_VPN_RD_LEN,tlen-BGP_VPN_RD_LEN)));
17021702
/* rfc986 mapped IPv4 address ? */
1703-
if (EXTRACT_32BITS(tptr+BGP_VPN_RD_LEN) == 0x47000601)
1703+
if (tlen == BGP_VPN_RD_LEN + 4 + sizeof(struct in_addr)
1704+
&& EXTRACT_32BITS(tptr+BGP_VPN_RD_LEN) == 0x47000601)
17041705
ND_PRINT((ndo, " = %s", ipaddr_string(ndo, tptr+BGP_VPN_RD_LEN+4)));
17051706
/* rfc1888 mapped IPv6 address ? */
1706-
else if (EXTRACT_24BITS(tptr+BGP_VPN_RD_LEN) == 0x350000)
1707+
else if (tlen == BGP_VPN_RD_LEN + 3 + sizeof(struct in6_addr)
1708+
&& EXTRACT_24BITS(tptr+BGP_VPN_RD_LEN) == 0x350000)
17071709
ND_PRINT((ndo, " = %s", ip6addr_string(ndo, tptr+BGP_VPN_RD_LEN+3)));
17081710
tptr += tlen;
17091711
tlen = 0;

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -584,6 +584,7 @@ isakmp-various-oobr isakmp-various-oobr.pcap isakmp-various-oobr.out -v
584584
aoe-oobr-1 aoe-oobr-1.pcap aoe-oobr-1.out -v -c1
585585
frf16_magic_ie-oobr frf16_magic_ie-oobr.pcap frf16_magic_ie-oobr.out -v -c1
586586
rx_serviceid_oobr rx_serviceid_oobr.pcap rx_serviceid_oobr.out -c3
587+
bgp_mp_reach_nlri-oobr bgp_mp_reach_nlri-oobr.pcap bgp_mp_reach_nlri-oobr.out -v -c1
587588

588589
# bad packets from Katie Holly
589590
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/bgp_mp_reach_nlri-oobr.out

+277
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,277 @@
1+
IP (tos 0xff,CE, ttl 254, id 32783, offset 0, flags [rsvd], proto TCP (6), length 65535, bad cksum 8e15 (->5bbf)!)
2+
241.0.128.39.179 > 239.0.0.1.0: Flags [none], seq 4144029695:4144095150, win 65535, options [eol], length 65455: BGP [|BGP]
3+
Update Message (2), length: 45
4+
Withdrawn routes: 3 bytes
5+
Attribute Set (128), length: 32768, Flags [OTPE+f]: [|BGP] [|BGP]
6+
Update Message (2), length: 45
7+
Withdrawn routes: 3 bytes
8+
Attribute Set (128), length: 7, Flags [OTPE+f]:
9+
Origin AS: 0
10+
Multi-Protocol Reach NLRI (14), length: 227, Flags [T+6]:
11+
AFI: NSAP (3), SAFI: labeled VPN Unicast (128)
12+
nexthop: invalid len, nh-length: 1, no SNPA
13+
RD: unknown RD format, 00.0000.0000.0d00.0000.0000.00/91, label:15 (bottom)
14+
(illegal prefix length)
15+
Multi-Protocol Reach NLRI (14), length: 227, Flags [T+6]:
16+
AFI: NSAP (3), SAFI: labeled VPN Unicast (128)
17+
nexthop: RD: unknown RD format, 05.0000.0000.0000.0000.000d.0000, nh-length: 21, no SNPA
18+
(illegal prefix length)
19+
Unknown Attribute (0), length: 0
20+
no Attribute 0 decoder
21+
Unknown Attribute (0), length: 0
22+
no Attribute 0 decoder
23+
Unknown Attribute (0), length: 0
24+
no Attribute 0 decoder
25+
Unknown Attribute (0), length: 0
26+
no Attribute 0 decoder
27+
Unknown Attribute (0), length: 0
28+
no Attribute 0 decoder
29+
Unknown Attribute (80), length: 0
30+
no Attribute 80 decoder
31+
Unknown Attribute (157), length: 161, Flags [P+d]:
32+
no Attribute 157 decoder
33+
0x0000: 0280 fdff ffff ffff ffff ffff ffff ffff
34+
0x0010: ffff ff00 2d02 0003 f1ff 7bc3 b2ff 8000
35+
0x0020: 0700 0000 df00 c123 0000 0000 00a1 0200
36+
0x0030: 9eff ffff ffff ffff ffff ffff ffff ff94
37+
0x0040: 9494 2d02 0003 f1ff 7bc3 b2ff 8000 0700
38+
0x0050: 0000 0046 0ee3 0003 8015 00b3 0000 f700
39+
0x0060: dfee 0500 0000 0000 0000 0000 0000 0000
40+
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000
41+
0x0080: 0000 de00 0000 0000 0000 0000 0000 0001
42+
0x0090: 0000 0000 0000 0000 0000 0000 0000 0000
43+
0x00a0: 00
44+
Unknown Attribute (0), length: 0
45+
no Attribute 0 decoder
46+
Unknown Attribute (0), length: 0
47+
no Attribute 0 decoder
48+
Unknown Attribute (0), length: 0
49+
no Attribute 0 decoder
50+
Unknown Attribute (0), length: 0
51+
no Attribute 0 decoder
52+
Unknown Attribute (0), length: 0
53+
no Attribute 0 decoder
54+
Unknown Attribute (0), length: 0
55+
no Attribute 0 decoder
56+
Unknown Attribute (0), length: 0
57+
no Attribute 0 decoder
58+
Unknown Attribute (0), length: 0
59+
no Attribute 0 decoder
60+
Unknown Attribute (0), length: 0
61+
no Attribute 0 decoder
62+
Unknown Attribute (0), length: 0
63+
no Attribute 0 decoder
64+
Unknown Attribute (0), length: 0
65+
no Attribute 0 decoder
66+
Unknown Attribute (0), length: 0
67+
no Attribute 0 decoder
68+
Unknown Attribute (0), length: 0
69+
no Attribute 0 decoder
70+
Unknown Attribute (0), length: 140
71+
no Attribute 0 decoder
72+
0x0000: 0000 0000 0000 0080 27ef 0000 0100 c600
73+
0x0010: 007f f3f9 8900 0107 07d4 2d9d a102 80fd
74+
0x0020: ecff ff04 00ff 4000 0000 ffff ffff ffff
75+
0x0030: 002d 0200 03f1 ff7b c3b2 ff80 0007 434c
76+
0x0040: 4945 4e54 0000 00df 00c1 2300 0000 0000
77+
0x0050: ff00 0000 ff00 0000 04ff ffff ffff ffff
78+
0x0060: ffff ffff 002d 0200 03f1 ff7b c3b2 ff80
79+
0x0070: 0007 0000 0000 460e e300 0380 1500 b300
80+
0x0080: 00f7 00df ee35 0000 0500 0000
81+
Unknown Attribute (0), length: 0
82+
no Attribute 0 decoder
83+
Unknown Attribute (0), length: 0
84+
no Attribute 0 decoder[|BGP] [|BGP]
85+
Update Message (2), length: 45
86+
Withdrawn routes: 3 bytes
87+
Attribute Set (128), length: 7, Flags [OTPE+f]:
88+
Origin AS: 223
89+
Unknown Attribute (193), length: 35
90+
no Attribute 193 decoder
91+
0x0000: 0000 0000 00a1 0200 9eff ffff ffff fffc
92+
0x0010: ffff ffff ffff ffff ff00 2d02 0003 f1ff
93+
0x0020: 7bc3 b2
94+
Attribute Set (128), length: 7, Flags [OTPE+f]:
95+
Origin AS: 0
96+
Multi-Protocol Reach NLRI (14), length: 227, Flags [T+6]:
97+
AFI: NSAP (3), SAFI: labeled VPN Unicast (128)
98+
nexthop: RD: unknown RD format, 05.0000.0000.0000.0000.000d.0000, nh-length: 21, no SNPA
99+
(illegal prefix length)
100+
Unknown Attribute (0), length: 0
101+
no Attribute 0 decoder
102+
Unknown Attribute (0), length: 0
103+
no Attribute 0 decoder
104+
Unknown Attribute (0), length: 0
105+
no Attribute 0 decoder
106+
Unknown Attribute (0), length: 0
107+
no Attribute 0 decoder
108+
Unknown Attribute (0), length: 0
109+
no Attribute 0 decoder
110+
Unknown Attribute (80), length: 0
111+
no Attribute 80 decoder
112+
Unknown Attribute (157), length: 161, Flags [P+d]:
113+
no Attribute 157 decoder
114+
0x0000: 0280 fdff ffff ffff ffff ffff ffff ffff
115+
0x0010: ffff ff00 2d02 0003 f1ff 7bc3 b2ff 8000
116+
0x0020: 0700 0000 df00 c123 0000 0000 00a1 0200
117+
0x0030: 9eff ffff ffff ffff ffff ffff ffff ff94
118+
0x0040: 9494 2d02 0003 f1ff 7bc3 b2ff 8000 0700
119+
0x0050: 0000 0046 0ee3 0003 8015 00b3 0000 f700
120+
0x0060: dfee 0500 0000 0000 0000 0000 0000 0000
121+
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000
122+
0x0080: 0000 de00 0000 0000 0000 0000 0000 0001
123+
0x0090: 0000 0000 0000 0000 0000 0000 0000 0000
124+
0x00a0: 00
125+
Unknown Attribute (0), length: 0
126+
no Attribute 0 decoder
127+
Unknown Attribute (0), length: 0
128+
no Attribute 0 decoder
129+
Unknown Attribute (0), length: 0
130+
no Attribute 0 decoder
131+
Unknown Attribute (0), length: 0
132+
no Attribute 0 decoder
133+
Unknown Attribute (0), length: 0
134+
no Attribute 0 decoder
135+
Unknown Attribute (0), length: 0
136+
no Attribute 0 decoder
137+
Unknown Attribute (0), length: 0
138+
no Attribute 0 decoder
139+
Unknown Attribute (0), length: 0
140+
no Attribute 0 decoder
141+
Unknown Attribute (0), length: 0
142+
no Attribute 0 decoder
143+
Unknown Attribute (0), length: 0
144+
no Attribute 0 decoder
145+
Unknown Attribute (0), length: 0
146+
no Attribute 0 decoder
147+
Unknown Attribute (0), length: 0
148+
no Attribute 0 decoder
149+
Unknown Attribute (0), length: 0
150+
no Attribute 0 decoder
151+
Unknown Attribute (0), length: 140
152+
no Attribute 0 decoder
153+
0x0000: 0000 0000 0000 0080 27ef 0000 0100 c600
154+
0x0010: 007f f3f9 8900 0107 07d4 2d9d a102 80fd
155+
0x0020: ecff ff04 00ff 4000 0000 ffff ffff ffff
156+
0x0030: 002d 0200 03f1 ff7b c3b2 ff80 0007 434c
157+
0x0040: 4945 4e54 0000 00df 00c1 2300 0000 0000
158+
0x0050: ff00 0000 ff00 0000 04ff ffff ffff ffff
159+
0x0060: ffff ffff 002d 0200 03f1 ff7b c3b2 ff80
160+
0x0070: 0007 0000 0000 460e e300 0380 1500 b300
161+
0x0080: 00f7 00df ee35 0000 0500 0000
162+
Unknown Attribute (0), length: 0
163+
no Attribute 0 decoder
164+
Unknown Attribute (0), length: 0
165+
no Attribute 0 decoder[|BGP] [|BGP]
166+
Update Message (2), length: 45
167+
Withdrawn routes: 3 bytes
168+
Attribute Set (128), length: 7, Flags [OTPE+f]:
169+
Origin AS: 223
170+
Unknown Attribute (193), length: 35
171+
no Attribute 193 decoder
172+
0x0000: 0000 0000 00a1 0200 0aff ffff ffff ffff
173+
0x0010: ffff ffff ffff ffff ff00 2d02 0003 f1ff
174+
0x0020: 7bc3 b2
175+
Unknown Attribute (241), length: 255, Flags [+3]:
176+
no Attribute 241 decoder
177+
0x0000: 7bc3 b2ff 8000 0700 0000 0046 0ee3 0003
178+
0x0010: 8001 00b3 0000 f700 dfee 0500 0000 0000
179+
0x0020: 0000 0000 0d00 0000 0000 0000 0000 0000
180+
0x0030: 0000 0000 0000 00ff 8000 0700 0000 0046
181+
0x0040: 0ee3 0003 8015 00cd 0000 f700 dfee 0500
182+
0x0050: 0000 0000 0000 0000 1b00 0000 fff5 0000
183+
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000
184+
0x0070: 0000 0000 0000 0000 5000 2d9d a102 80fd
185+
0x0080: ffff ffff ffff ffff ffff ffff ffff ffff
186+
0x0090: 002d 0200 03f1 ff7b c3b2 ff80 0007 0000
187+
0x00a0: 00df 00c1 2300 0000 0000 a102 009e ffff
188+
0x00b0: ffff ffff ffff ffff ffff ffff 9494 942d
189+
0x00c0: 0200 03f1 ff7b c3b2 ff80 0007 0000 0000
190+
0x00d0: 460e e300 0380 1500 b300 00f7 00df ee05
191+
0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000
192+
0x00f0: 0000 0000 0000 0000 0000 0000 0000 00
193+
Unknown Attribute (0), length: 0, Flags [OTE+e]:
194+
no Attribute 0 decoder
195+
Unknown Attribute (0), length: 0
196+
no Attribute 0 decoder
197+
Unknown Attribute (0), length: 0
198+
no Attribute 0 decoder
199+
Unknown Attribute (0), length: 0
200+
no Attribute 0 decoder
201+
Unknown Attribute (0), length: 0, Flags [+1]:
202+
no Attribute 0 decoder
203+
Unknown Attribute (0), length: 0
204+
no Attribute 0 decoder
205+
Unknown Attribute (0), length: 0
206+
no Attribute 0 decoder
207+
Unknown Attribute (0), length: 0
208+
no Attribute 0 decoder
209+
Unknown Attribute (0), length: 0
210+
no Attribute 0 decoder
211+
Unknown Attribute (0), length: 0
212+
no Attribute 0 decoder
213+
Unknown Attribute (0), length: 0
214+
no Attribute 0 decoder
215+
Unknown Attribute (0), length: 0
216+
no Attribute 0 decoder
217+
Unknown Attribute (0), length: 0
218+
no Attribute 0 decoder
219+
Unknown Attribute (0), length: 0
220+
no Attribute 0 decoder
221+
Unknown Attribute (0), length: 0
222+
no Attribute 0 decoder
223+
Unknown Attribute (0), length: 0
224+
no Attribute 0 decoder
225+
Unknown Attribute (0), length: 0
226+
no Attribute 0 decoder
227+
Unknown Attribute (0), length: 0
228+
no Attribute 0 decoder
229+
Unknown Attribute (0), length: 0
230+
no Attribute 0 decoder
231+
Unknown Attribute (0), length: 0
232+
no Attribute 0 decoder
233+
Unknown Attribute (0), length: 0
234+
no Attribute 0 decoder
235+
Unknown Attribute (0), length: 0
236+
no Attribute 0 decoder
237+
Unknown Attribute (0), length: 0
238+
no Attribute 0 decoder
239+
Unknown Attribute (0), length: 140
240+
no Attribute 0 decoder
241+
0x0000: 0000 0000 0000 0080 27ef 0000 0100 c600
242+
0x0010: 007f f3f9 8900 0107 07d4 2d9d a102 80fd
243+
0x0020: ecff ff04 00ff 4000 0000 ffff ffff ffff
244+
0x0030: 002d 0200 03f1 ff7b c3b2 ff80 0007 434c
245+
0x0040: 4945 4e54 0000 00df 00c1 2300 0000 0000
246+
0x0050: ff00 0000 ff00 0000 04ff ffff ffff ffff
247+
0x0060: ffff ffff 002d 0200 03f1 ff7b c3b2 ff80
248+
0x0070: 0007 0000 0000 460e e300 0380 1500 b300
249+
0x0080: 00f7 00df ee35 0000 0500 0000
250+
Unknown Attribute (0), length: 0
251+
no Attribute 0 decoder
252+
Unknown Attribute (0), length: 0
253+
no Attribute 0 decoder[|BGP] [|BGP]
254+
Update Message (2), length: 45
255+
Withdrawn routes: 3 bytes
256+
Unknown Attribute (241), length: 255, Flags [+3]: [|BGP] [|BGP]
257+
Update Message (2), length: 45
258+
Withdrawn routes: 3 bytes
259+
Attribute Set (128), length: 7, Flags [OTPE+f]:
260+
Origin AS: 223
261+
Unknown Attribute (193), length: 35
262+
no Attribute 193 decoder
263+
0x0000: 0000 0000 00a1 0200 9eff ffff ffff ffff
264+
0x0010: ffff ffff ffff ff94 9494 2d02 0003 f1ff
265+
0x0020: 7bc3 b2
266+
Attribute Set (128), length: 7, Flags [OTPE+f]:
267+
Origin AS: 0
268+
Multi-Protocol Reach NLRI (14), length: 227, Flags [T+6]:
269+
AFI: NSAP (3), SAFI: labeled VPN Unicast (128)
270+
nexthop: RD: unknown RD format, 05.0000.0000.0000.0000.0000.0000, nh-length: 21, no SNPA
271+
(illegal prefix length)
272+
Attribute Set (128), length: 7, Flags [OTPE+f]:
273+
Origin AS: 0
274+
Multi-Protocol Reach NLRI (14), length: 227, Flags [T+6]:
275+
AFI: NSAP (3), SAFI: labeled VPN Unicast (128)
276+
nexthop: RD: unknown RD format, 35.0000.0500.0000.0000.0000.0000, nh-length: 21, no SNPA
277+
(illegal prefix length)[|BGP]

Diff for: tests/bgp_mp_reach_nlri-oobr.pcap

2.72 KB
Binary file not shown.

0 commit comments

Comments
 (0)