Skip to content
Permalink
Browse files Browse the repository at this point in the history
(for 4.9.3) CVE-2018-14881/BGP: Fix BGP_CAPCODE_RESTART.
Add a bounds check and a comment to bgp_capabilities_print().

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information
fxlb committed Aug 18, 2019
1 parent 3de07c7 commit 86326e8
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 0 deletions.
2 changes: 2 additions & 0 deletions print-bgp.c
Expand Up @@ -2351,6 +2351,8 @@ bgp_capabilities_print(netdissect_options *ndo,
opt[i+5]));
break;
case BGP_CAPCODE_RESTART:
/* Restart Flags (4 bits), Restart Time in seconds (12 bits) */
ND_TCHECK_16BITS(opt + i + 2);
ND_PRINT((ndo, "\n\t\tRestart Flags: [%s], Restart Time %us",
((opt[i+2])&0x80) ? "R" : "none",
EXTRACT_16BITS(opt+i+2)&0xfff));
Expand Down
1 change: 1 addition & 0 deletions tests/TESTLIST
Expand Up @@ -557,6 +557,7 @@ icmp-icmp_print-oobr-1 icmp-icmp_print-oobr-1.pcap icmp-icmp_print-oobr-1.out -v
icmp-icmp_print-oobr-2 icmp-icmp_print-oobr-2.pcap icmp-icmp_print-oobr-2.out -v -c3
rsvp-rsvp_obj_print-oobr rsvp-rsvp_obj_print-oobr.pcap rsvp-rsvp_obj_print-oobr.out -v -c3
vrrp-vrrp_print-oobr vrrp-vrrp_print-oobr.pcap vrrp-vrrp_print-oobr.out -v -c3
bgp-bgp_capabilities_print-oobr-1 bgp-bgp_capabilities_print-oobr-1.pcap bgp-bgp_capabilities_print-oobr-1.out -v -c1
# The .pcap file is truncated after the 1st packet.
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
Expand Down
27 changes: 27 additions & 0 deletions tests/bgp-bgp_capabilities_print-oobr-1.out
@@ -0,0 +1,27 @@
IP (tos 0x1f,CE, ttl 254, id 38671, offset 0, flags [+, DF, rsvd], proto TCP (6), length 4135, bad cksum 200 (->1fdd)!)
226.219.0.0.179 > 16.233.34.0.100: Flags [SPUE], seq 347537408:347541483, win 511, urg 65535, options [eol], length 4075: BGP [|BGP]
Open Message (1), length: 59
Version 255, my AS 65528, Holdtime 4324s, ID 144.8.32.4
Optional parameters, length: 29
Option Unknown (0), length: 0
no decoder for option 0
Option Capabilities Advertisement (2), length: 8
Graceful Restart (64), length: 0
Restart Flags: [none], Restart Time 0s
Unknown (0), length: 0
no decoder for Capability 0
32-Bit AS Number (65), length: 4
4 Byte AS 2
Option Unknown (0), length: 2
no decoder for option 0
Option Capabilities Advertisement (2), length: 2
Unknown (232), length: 3
no decoder for Capability 232
0x0000: 0207 04
Option Capabilities Advertisement (2), length: 7
Multiple Routes to a Destination (4), length: 0
no decoder for Capability 4
Unknown (8), length: 0
no decoder for Capability 8
Route Refresh (Cisco) (128), length: 0
Graceful Restart (64), length: 0[|BGP]
Binary file added tests/bgp-bgp_capabilities_print-oobr-1.pcap
Binary file not shown.

0 comments on commit 86326e8

Please sign in to comment.