Skip to content
Permalink
Browse files

CVE-2017-13043/BGP: fix decoding of MVPN route types 6 and 7

RFC 6514 Section 4.6 defines the structure for Shared Tree Join (6) and
Source Tree Join (7) multicast VPN route types. decode_multicast_vpn()
didn't implement the Source AS field of that structure properly, adjust
the offsets to put it right.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).
  • Loading branch information...
infrastation committed Aug 3, 2017
1 parent d10a0f9 commit d515b4b4a300479cdf1a6e0d1bb95bc1f9fee514
Showing with 16 additions and 2 deletions.
  1. +2 −2 print-bgp.c
  2. +1 −0 tests/TESTLIST
  3. +13 −0 tests/bgp_mvpn_6_and_7.out
  4. BIN tests/bgp_mvpn_6_and_7.pcap
@@ -965,13 +965,13 @@ decode_multicast_vpn(netdissect_options *ndo,

case BGP_MULTICAST_VPN_ROUTE_TYPE_SHARED_TREE_JOIN: /* fall through */
case BGP_MULTICAST_VPN_ROUTE_TYPE_SOURCE_TREE_JOIN:
ND_TCHECK2(pptr[0], BGP_VPN_RD_LEN);
ND_TCHECK2(pptr[0], BGP_VPN_RD_LEN + 4);
offset = strlen(buf);
snprintf(buf + offset, buflen - offset, ", RD: %s, Source-AS %s",
bgp_vpn_rd_print(ndo, pptr),
as_printf(ndo, astostr, sizeof(astostr),
EXTRACT_32BITS(pptr + BGP_VPN_RD_LEN)));
pptr += BGP_VPN_RD_LEN;
pptr += BGP_VPN_RD_LEN + 4;

bgp_vpn_sg_print(ndo, pptr, buf, buflen);
break;
@@ -564,6 +564,7 @@ hncp_dhcpv6data-oobr hncp_dhcpv6data-oobr.pcap hncp_dhcpv6data-oobr.out -v -c1
hncp_dhcpv4data-oobr hncp_dhcpv4data-oobr.pcap hncp_dhcpv4data-oobr.out -v -c1
vqp-oobr vqp-oobr.pcap vqp-oobr.out -v -c1
bgp_pmsi_tunnel-oobr bgp_pmsi_tunnel-oobr.pcap bgp_pmsi_tunnel-oobr.out -v -c1
bgp_mvpn_6_and_7 bgp_mvpn_6_and_7.pcap bgp_mvpn_6_and_7.out -v -c1

# bad packets from Katie Holly
mlppp-oobr mlppp-oobr.pcap mlppp-oobr.out
@@ -0,0 +1,13 @@
IP (tos 0xc, ttl 254, id 21263, offset 0, flags [rsvd], proto TCP (6), length 517, bad cksum 8e15 (->99c9)!)
241.0.93.20.179 > 255.247.0.1.200: Flags [none], seq 2146691977:2146692450, win 56026, options [unknown-161,eol], length 473: BGP
Update Message (2), length: 45
Withdrawn routes: 3 bytes
Attribute Set (128), length: 7, Flags [OTPE+f]:
Origin AS: 148
Multi-Protocol Reach NLRI (14), length: 71, Flags [T+6]:
AFI: IPv4 (1), SAFI: Multicast VPN (5), nh-length: 0, no SNPA
Route-Type: Intra-AS I-PMSI (1), length: 0, RD: 62209:33686018 (= 2.2.2.2), Originator bogus address length 4294967232
Route-Type: Unknown (0), length: 0
Route-Type: Unknown (243), length: 1
Route-Type: Inter-AS I-PMSI (2), length: 2, RD: unknown RD format, Source-AS 368115805
Route-Type: Inter-AS I-PMSI (2), length: 2, RD: unknown RD format, Source-AS 335544320[|BGP]
Binary file not shown.

0 comments on commit d515b4b

Please sign in to comment.
You can’t perform that action at this time.