Skip to content

Commit af2cf04

Browse files
infrastationfxlb
authored andcommitted
(for 4.9.3) CVE-2018-16300/BGP: prevent stack exhaustion
Enforce a limit on how many times bgp_attr_print() can recurse. This fixes a stack exhaustion discovered by Include Security working under the Mozilla SOS program in 2018 by means of code audit.
1 parent 4bfd71e commit af2cf04

File tree

1 file changed

+12
-4
lines changed

1 file changed

+12
-4
lines changed

Diff for: print-bgp.c

+12-4
Original file line numberDiff line numberDiff line change
@@ -1361,7 +1361,7 @@ bgp_attr_get_as_size(netdissect_options *ndo,
13611361

13621362
static int
13631363
bgp_attr_print(netdissect_options *ndo,
1364-
u_int atype, const u_char *pptr, u_int len)
1364+
u_int atype, const u_char *pptr, u_int len, const unsigned attr_set_level)
13651365
{
13661366
int i;
13671367
uint16_t af;
@@ -2284,8 +2284,16 @@ bgp_attr_print(netdissect_options *ndo,
22842284
ND_PRINT((ndo, "+%x", aflags & 0xf));
22852285
ND_PRINT((ndo, "]: "));
22862286
}
2287-
/* FIXME check for recursion */
2288-
if (!bgp_attr_print(ndo, atype, tptr, alen))
2287+
/* The protocol encoding per se allows ATTR_SET to be nested as many times
2288+
* as the message can accommodate. This printer used to be able to recurse
2289+
* into ATTR_SET contents until the stack exhaustion, but now there is a
2290+
* limit on that (if live protocol exchange goes that many levels deep,
2291+
* something is probably wrong anyway). Feel free to refine this value if
2292+
* you can find the spec with respective normative text.
2293+
*/
2294+
if (attr_set_level == 10)
2295+
ND_PRINT((ndo, "(too many nested levels, not recursing)"));
2296+
else if (!bgp_attr_print(ndo, atype, tptr, alen, attr_set_level + 1))
22892297
return 0;
22902298
tptr += alen;
22912299
len -= alen;
@@ -2592,7 +2600,7 @@ bgp_update_print(netdissect_options *ndo,
25922600
goto trunc;
25932601
if (length < alen)
25942602
goto trunc;
2595-
if (!bgp_attr_print(ndo, atype, p, alen))
2603+
if (!bgp_attr_print(ndo, atype, p, alen, 0))
25962604
goto trunc;
25972605
p += alen;
25982606
len -= alen;

0 commit comments

Comments
 (0)