bgpd: CVE-2011-3327 (ext. comm. buffer overflow)

This vulnerability (CERT-FI #513254) was reported by CROSS project. They have also suggested a fix to the problem, which was found acceptable. The problem occurs when bgpd receives an UPDATE message containing 255 unknown AS_PATH attributes in Path Attribute Extended Communities. This causes a buffer overlow in bgpd. * bgp_ecommunity.c * ecommunity_ecom2str(): perform size check earlier
author: CROSS <info@codenomicon.com> 2011-09-26 13:17:05 +0400
committer: Denis Ovsienko <infrastation@yandex.ru> 2011-09-26 18:46:16 +0400
commit: 94431dbc753171b48b5c6806af97fd690813b00a (patch)
tree: 463b917f9f80236be01e4502863b34ae2d52b53d
parent: a0bf59bcac8b40c3f83e7f2e7f65087ece6acfc7 (diff)
1 files changed, 7 insertions, 7 deletions
diff --git a/bgpd/bgp_ecommunity.c b/bgpd/bgp_ecommunity.c
index 8d91c746..440c15a4 100644
--- a/bgpd/bgp_ecommunity.c
+++ b/bgpd/bgp_ecommunity.c
@@ -620,6 +620,13 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format)
 
   for (i = 0; i < ecom->size; i++)
     {
+      /* Make it sure size is enough.  */
+      while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size)
+	{
+	  str_size *= 2;
+	  str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size);
+	}
+
       /* Space between each value.  */
       if (! first)
 	str_buf[str_pnt++] = ' ';
@@ -663,13 +670,6 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format)
 	  break;
 	}
 
-      /* Make it sure size is enough.  */
-      while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size)
-	{
-	  str_size *= 2;
-	  str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size);
-	}
-
       /* Put string into buffer.  */
       if (encode == ECOMMUNITY_ENCODE_AS4)
 	{
author	CROSS <info@codenomicon.com>	2011-09-26 13:17:05 +0400
committer	Denis Ovsienko <infrastation@yandex.ru>	2011-09-26 18:46:16 +0400
commit	94431dbc753171b48b5c6806af97fd690813b00a (patch)
tree	463b917f9f80236be01e4502863b34ae2d52b53d
parent	a0bf59bcac8b40c3f83e7f2e7f65087ece6acfc7 (diff)