diff options
| author | CROSS <info@codenomicon.com> | 2011-09-26 13:17:05 +0400 | 
|---|---|---|
| committer | Denis Ovsienko <infrastation@yandex.ru> | 2011-09-26 18:39:37 +0400 | 
| commit | a1afbc6e1d56b06409de5e8d7d984d565817fd96 (patch) | |
| tree | a45dfa998baab938e8373950b7bf4c7af60f6dc1 | |
| parent | 3eca6f099d5a3aac0b66dfbf98fd8be84ea426b7 (diff) | |
bgpd: CVE-2011-3327 (ext. comm. buffer overflow)
This vulnerability (CERT-FI #513254) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.
The problem occurs when bgpd receives an UPDATE message containing
255 unknown AS_PATH attributes in Path Attribute Extended Communities.
This causes a buffer overlow in bgpd.
* bgp_ecommunity.c
  * ecommunity_ecom2str(): perform size check earlier
| -rw-r--r-- | bgpd/bgp_ecommunity.c | 14 | 
1 files changed, 7 insertions, 7 deletions
| diff --git a/bgpd/bgp_ecommunity.c b/bgpd/bgp_ecommunity.c index 8d5fa741..e7eb0a07 100644 --- a/bgpd/bgp_ecommunity.c +++ b/bgpd/bgp_ecommunity.c @@ -619,6 +619,13 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format)    for (i = 0; i < ecom->size; i++)      { +      /* Make it sure size is enough.  */ +      while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size) +	{ +	  str_size *= 2; +	  str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size); +	} +        /* Space between each value.  */        if (! first)  	str_buf[str_pnt++] = ' '; @@ -662,13 +669,6 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format)  	  break;  	} -      /* Make it sure size is enough.  */ -      while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size) -	{ -	  str_size *= 2; -	  str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size); -	} -        /* Put string into buffer.  */        if (encode == ECOMMUNITY_ENCODE_AS4)  	{ | 
