Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
quagga.35810
Quagga-2018-0543-bgpd.bsc1079798.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File Quagga-2018-0543-bgpd.bsc1079798.patch of Package quagga.35810
From 6dde85082ca004d590030b2762bd59b0fbd74c93 Mon Sep 17 00:00:00 2001 From: Paul Jakma <paul@jakma.org> Date: Wed, 3 Jan 2018 23:57:33 +0000 Upstream: yes References: CVE-2018-5378,Quagga-2018-0543,bsc#1079798 Subject: bgpd/security: invalid attr length sends NOTIFY with data overrun Security issue: Quagga-2018-0543 See: https://www.quagga.net/security/Quagga-2018-0543.txt * bgpd/bgp_attr.c: (bgp_attr_parse) An invalid attribute length is correctly checked, and a NOTIFY prepared. The NOTIFY can include the incorrect received data with the NOTIFY, for debug purposes. Commit c69698704806a9ac5 modified the code to do that just, and also send the malformed attr with the NOTIFY. However, the invalid attribute length was used as the length of the data to send back. The result is a read past the end of data, which is then written to the NOTIFY message and sent to the peer. A configured BGP peer can use this bug to read up to 64 KiB of memory from the bgpd process, or crash the process if the invalid read is caught by some means (unmapped page and SEGV, or other mechanism) resulting in a DoS. This bug _ought_ /not/ be exploitable by anything other than the connected BGP peer, assuming the underlying TCP transport is secure. For no BGP peer should send on an UPDATE with this attribute. Quagga will not, as Quagga always validates the attr header length, regardless of type. However, it is possible that there are BGP implementations that do not check lengths on some attributes (e.g. optional/transitive ones of a type they do not recognise), and might pass such malformed attrs on. If such implementations exists and are common, then this bug might be triggerable by BGP speakers further hops away. Those peers will not receive the NOTIFY (unless they sit on a shared medium), however they might then be able to trigger a DoS. Fix: use the valid bound to calculate the length. --- bgpd/bgp_attr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index 6aab50af..44906922 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -2079,6 +2079,8 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size, memset (seen, 0, BGP_ATTR_BITMAP_SIZE); /* End pointer of BGP attribute. */ + assert (size <= stream_get_size (BGP_INPUT (peer))); + assert (size <= stream_get_endp (BGP_INPUT (peer))); endp = BGP_INPUT_PNT (peer) + size; /* Get attributes to the end of attribute length. */ @@ -2160,7 +2162,7 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size, bgp_notify_send_with_data (peer, BGP_NOTIFY_UPDATE_ERR, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, - startp, attr_endp - startp); + startp, endp - startp); return BGP_ATTR_PARSE_ERROR; } -- 2.13.6
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor