diff options
author | CROSS <info@codenomicon.com> | 2011-09-26 13:17:05 +0400 |
---|---|---|
committer | Denis Ovsienko <infrastation@yandex.ru> | 2011-09-26 18:46:16 +0400 |
commit | 94431dbc753171b48b5c6806af97fd690813b00a (patch) | |
tree | 463b917f9f80236be01e4502863b34ae2d52b53d | |
parent | a0bf59bcac8b40c3f83e7f2e7f65087ece6acfc7 (diff) |
bgpd: CVE-2011-3327 (ext. comm. buffer overflow)
This vulnerability (CERT-FI #513254) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
The problem occurs when bgpd receives an UPDATE message containing
255 unknown AS_PATH attributes in Path Attribute Extended Communities.
This causes a buffer overlow in bgpd.
* bgp_ecommunity.c
* ecommunity_ecom2str(): perform size check earlier
-rw-r--r-- | bgpd/bgp_ecommunity.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/bgpd/bgp_ecommunity.c b/bgpd/bgp_ecommunity.c index 8d91c746..440c15a4 100644 --- a/bgpd/bgp_ecommunity.c +++ b/bgpd/bgp_ecommunity.c @@ -620,6 +620,13 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format) for (i = 0; i < ecom->size; i++) { + /* Make it sure size is enough. */ + while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size) + { + str_size *= 2; + str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size); + } + /* Space between each value. */ if (! first) str_buf[str_pnt++] = ' '; @@ -663,13 +670,6 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format) break; } - /* Make it sure size is enough. */ - while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size) - { - str_size *= 2; - str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size); - } - /* Put string into buffer. */ if (encode == ECOMMUNITY_ENCODE_AS4) { |