oss-sec mailing list archives
Re: CVE request (sort of): Quagga BGP crasher
From: Jon Oberheide <jon () oberheide org>
Date: Fri, 01 May 2009 06:48:43 -0400
Florian, On Fri, 2009-05-01 at 11:02 +0200, Florian Weimer wrote:
There's a crasher bug in Quagga's bgpd which can allegedly be triggered by routes present in the global table. See: <http://thread.gmane.org/gmane.network.quagga.devel/6513> I think we need a CVE for that, but I don't understand the problem yet (and I can't reproduce it), so I can't come up with a concise vulnerability description.
Looks like the Quagga code in bgp_aspath.c is assuming that converting each ASN of the AS path to a string will be 5 bytes plus a space (#define ASN_STR_LEN (5 + 1)). Therefore, it allocates (ASN_STR_LEN * the number of ASNs in the path segment) bytes to snprintf into when creating the pretty-print version of the AS path. This is all fine and dandy until we hit an AS path with 32-bit ASNs whose string representation can of course be longer than 5 bytes. The len += snprintf()'s will return more bytes written than expected and then we'll hit our assert since we've written more bytes than originally allocated (str_size). Have you tried reproducing it with an AS path containing 32-bit ASNs (of value at least 100000)? Regards, Jon Oberheide -- Jon Oberheide <jon () oberheide org> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE request (sort of): Quagga BGP crasher Florian Weimer (May 01)
- Re: CVE request (sort of): Quagga BGP crasher Jon Oberheide (May 01)
- Re: CVE request (sort of): Quagga BGP crasher Florian Weimer (May 01)
- Re: CVE request (sort of): Quagga BGP crasher Florian Weimer (May 04)
- Re: CVE request (sort of): Quagga BGP crasher Florian Weimer (May 01)
- Re: CVE request (sort of): Quagga BGP crasher Steven M. Christey (May 06)
- Re: CVE request (sort of): Quagga BGP crasher Jon Oberheide (May 01)