Skip to content

Commit d515b4b

Browse files
committed
CVE-2017-13043/BGP: fix decoding of MVPN route types 6 and 7
RFC 6514 Section 4.6 defines the structure for Shared Tree Join (6) and Source Tree Join (7) multicast VPN route types. decode_multicast_vpn() didn't implement the Source AS field of that structure properly, adjust the offsets to put it right. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add a test using the capture file supplied by the reporter(s).
1 parent d10a0f9 commit d515b4b

File tree

4 files changed

+16
-2
lines changed

4 files changed

+16
-2
lines changed

Diff for: print-bgp.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -965,13 +965,13 @@ decode_multicast_vpn(netdissect_options *ndo,
965965

966966
case BGP_MULTICAST_VPN_ROUTE_TYPE_SHARED_TREE_JOIN: /* fall through */
967967
case BGP_MULTICAST_VPN_ROUTE_TYPE_SOURCE_TREE_JOIN:
968-
ND_TCHECK2(pptr[0], BGP_VPN_RD_LEN);
968+
ND_TCHECK2(pptr[0], BGP_VPN_RD_LEN + 4);
969969
offset = strlen(buf);
970970
snprintf(buf + offset, buflen - offset, ", RD: %s, Source-AS %s",
971971
bgp_vpn_rd_print(ndo, pptr),
972972
as_printf(ndo, astostr, sizeof(astostr),
973973
EXTRACT_32BITS(pptr + BGP_VPN_RD_LEN)));
974-
pptr += BGP_VPN_RD_LEN;
974+
pptr += BGP_VPN_RD_LEN + 4;
975975

976976
bgp_vpn_sg_print(ndo, pptr, buf, buflen);
977977
break;

Diff for: tests/TESTLIST

+1
Original file line numberDiff line numberDiff line change
@@ -564,6 +564,7 @@ hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
564564
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
565565
vqp-oobr vqp-oobr.pcap vqp-oobr.out -v -c1
566566
bgp_pmsi_tunnel-oobr bgp_pmsi_tunnel-oobr.pcap bgp_pmsi_tunnel-oobr.out -v -c1
567+
bgp_mvpn_6_and_7 bgp_mvpn_6_and_7.pcap bgp_mvpn_6_and_7.out -v -c1
567568

568569
# bad packets from Katie Holly
569570
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out

Diff for: tests/bgp_mvpn_6_and_7.out

+13
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
IP (tos 0xc, ttl 254, id 21263, offset 0, flags [rsvd], proto TCP (6), length 517, bad cksum 8e15 (->99c9)!)
2+
241.0.93.20.179 > 255.247.0.1.200: Flags [none], seq 2146691977:2146692450, win 56026, options [unknown-161,eol], length 473: BGP
3+
Update Message (2), length: 45
4+
Withdrawn routes: 3 bytes
5+
Attribute Set (128), length: 7, Flags [OTPE+f]:
6+
Origin AS: 148
7+
Multi-Protocol Reach NLRI (14), length: 71, Flags [T+6]:
8+
AFI: IPv4 (1), SAFI: Multicast VPN (5), nh-length: 0, no SNPA
9+
Route-Type: Intra-AS I-PMSI (1), length: 0, RD: 62209:33686018 (= 2.2.2.2), Originator bogus address length 4294967232
10+
Route-Type: Unknown (0), length: 0
11+
Route-Type: Unknown (243), length: 1
12+
Route-Type: Inter-AS I-PMSI (2), length: 2, RD: unknown RD format, Source-AS 368115805
13+
Route-Type: Inter-AS I-PMSI (2), length: 2, RD: unknown RD format, Source-AS 335544320[|BGP]

Diff for: tests/bgp_mvpn_6_and_7.pcap

371 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)