Skip to content
Permalink
Browse files Browse the repository at this point in the history
(for 4.9.3) CVE-2018-16300/BGP: prevent stack exhaustion
Enforce a limit on how many times bgp_attr_print() can recurse.

This fixes a stack exhaustion discovered by Include Security working
under the Mozilla SOS program in 2018 by means of code audit.
  • Loading branch information
infrastation authored and fxlb committed Aug 27, 2019
1 parent 4bfd71e commit af2cf04
Showing 1 changed file with 12 additions and 4 deletions.
16 changes: 12 additions & 4 deletions print-bgp.c
Expand Up @@ -1361,7 +1361,7 @@ bgp_attr_get_as_size(netdissect_options *ndo,

static int
bgp_attr_print(netdissect_options *ndo,
u_int atype, const u_char *pptr, u_int len)
u_int atype, const u_char *pptr, u_int len, const unsigned attr_set_level)
{
int i;
uint16_t af;
Expand Down Expand Up @@ -2284,8 +2284,16 @@ bgp_attr_print(netdissect_options *ndo,
ND_PRINT((ndo, "+%x", aflags & 0xf));
ND_PRINT((ndo, "]: "));
}
/* FIXME check for recursion */
if (!bgp_attr_print(ndo, atype, tptr, alen))
/* The protocol encoding per se allows ATTR_SET to be nested as many times
* as the message can accommodate. This printer used to be able to recurse
* into ATTR_SET contents until the stack exhaustion, but now there is a
* limit on that (if live protocol exchange goes that many levels deep,
* something is probably wrong anyway). Feel free to refine this value if
* you can find the spec with respective normative text.
*/
if (attr_set_level == 10)
ND_PRINT((ndo, "(too many nested levels, not recursing)"));
else if (!bgp_attr_print(ndo, atype, tptr, alen, attr_set_level + 1))
return 0;
tptr += alen;
len -= alen;
Expand Down Expand Up @@ -2592,7 +2600,7 @@ bgp_update_print(netdissect_options *ndo,
goto trunc;
if (length < alen)
goto trunc;
if (!bgp_attr_print(ndo, atype, p, alen))
if (!bgp_attr_print(ndo, atype, p, alen, 0))
goto trunc;
p += alen;
len -= alen;
Expand Down

0 comments on commit af2cf04

Please sign in to comment.