Skip to content

Commit 86326e8

Browse files
committed
(for 4.9.3) CVE-2018-14881/BGP: Fix BGP_CAPCODE_RESTART.
Add a bounds check and a comment to bgp_capabilities_print(). This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent 3de07c7 commit 86326e8

4 files changed

+30
-0
lines changed

Diff for: print-bgp.c

+2
Original file line numberDiff line numberDiff line change
@@ -2351,6 +2351,8 @@ bgp_capabilities_print(netdissect_options *ndo,
23512351
opt[i+5]));
23522352
break;
23532353
case BGP_CAPCODE_RESTART:
2354+
/* Restart Flags (4 bits), Restart Time in seconds (12 bits) */
2355+
ND_TCHECK_16BITS(opt + i + 2);
23542356
ND_PRINT((ndo, "\n\t\tRestart Flags: [%s], Restart Time %us",
23552357
((opt[i+2])&0x80) ? "R" : "none",
23562358
EXTRACT_16BITS(opt+i+2)&0xfff));

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -557,6 +557,7 @@ icmp-icmp_print-oobr-1 icmp-icmp_print-oobr-1.pcap icmp-icmp_print-oobr-1.out -v
557557
icmp-icmp_print-oobr-2 icmp-icmp_print-oobr-2.pcap icmp-icmp_print-oobr-2.out -v -c3
558558
rsvp-rsvp_obj_print-oobr rsvp-rsvp_obj_print-oobr.pcap rsvp-rsvp_obj_print-oobr.out -v -c3
559559
vrrp-vrrp_print-oobr vrrp-vrrp_print-oobr.pcap vrrp-vrrp_print-oobr.out -v -c3
560+
bgp-bgp_capabilities_print-oobr-1 bgp-bgp_capabilities_print-oobr-1.pcap bgp-bgp_capabilities_print-oobr-1.out -v -c1
560561
# The .pcap file is truncated after the 1st packet.
561562
hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
562563
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1

Diff for: tests/bgp-bgp_capabilities_print-oobr-1.out

+27
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
IP (tos 0x1f,CE, ttl 254, id 38671, offset 0, flags [+, DF, rsvd], proto TCP (6), length 4135, bad cksum 200 (->1fdd)!)
2+
226.219.0.0.179 > 16.233.34.0.100: Flags [SPUE], seq 347537408:347541483, win 511, urg 65535, options [eol], length 4075: BGP [|BGP]
3+
Open Message (1), length: 59
4+
Version 255, my AS 65528, Holdtime 4324s, ID 144.8.32.4
5+
Optional parameters, length: 29
6+
Option Unknown (0), length: 0
7+
no decoder for option 0
8+
Option Capabilities Advertisement (2), length: 8
9+
Graceful Restart (64), length: 0
10+
Restart Flags: [none], Restart Time 0s
11+
Unknown (0), length: 0
12+
no decoder for Capability 0
13+
32-Bit AS Number (65), length: 4
14+
4 Byte AS 2
15+
Option Unknown (0), length: 2
16+
no decoder for option 0
17+
Option Capabilities Advertisement (2), length: 2
18+
Unknown (232), length: 3
19+
no decoder for Capability 232
20+
0x0000: 0207 04
21+
Option Capabilities Advertisement (2), length: 7
22+
Multiple Routes to a Destination (4), length: 0
23+
no decoder for Capability 4
24+
Unknown (8), length: 0
25+
no decoder for Capability 8
26+
Route Refresh (Cisco) (128), length: 0
27+
Graceful Restart (64), length: 0[|BGP]

Diff for: tests/bgp-bgp_capabilities_print-oobr-1.pcap

274 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)