summaryrefslogtreecommitdiff
path: root/bgpd/ChangeLog
diff options
context:
space:
mode:
authorPaul Jakma <paul.jakma@sun.com>2007-04-10 19:36:48 +0000
committerPaul Jakma <paul.jakma@sun.com>2007-04-10 19:36:48 +0000
commit6e4ab12f1504caa95edc7702a82f118d0de15a0a (patch)
tree50b6784229f92d404e5d6509848c135395743f2f /bgpd/ChangeLog
parent16d2e2410d6e8cf53fac05b956f3e7ee53bc7234 (diff)
[bgpd] Bug #354: Take care to keep reads of MP_(UN)REACH_NLRI in bounds
2007-04-08 Paul Jakma <paul.jakma@sun.com> * bgp_attr.c: (general) Bug #354: parsing of MP_REACH_NLRI and MP_UNREACH_NLRI does not take sufficient care to ensure reads from stream buffer stay in-bounds. Hence bgpd may attempt to read beyond end of stream, if given a crafted packet. As it uses the stream access methods to do so, this will typically result in assert() being hit in stream.c. Where code is compiled without assert() enabled, result is unknown. (struct message attr_str) should be static. (bgp_mp_reach_parse) Carefully check length remaining in stream against amount desired to read from stream, prior to each read, particularly where lengths are conditional on data obtained from stream - using STREAM_READABLE. Remove code to parse SNPA-number, it's a defunct field and changed to a fixed size in latest BGP MP update RFC - log warning if SNPA-number is not 0. (bgp_mp_unreach_parse) Check withdraw_length carefully against STREAM_READABLE. (bgp_attr_parse) If attribute-parser function returns error, log warning. Log attribute type on mismatch.
Diffstat (limited to 'bgpd/ChangeLog')
-rw-r--r--bgpd/ChangeLog20
1 files changed, 20 insertions, 0 deletions
diff --git a/bgpd/ChangeLog b/bgpd/ChangeLog
index 653ce86e..4d6f1ef9 100644
--- a/bgpd/ChangeLog
+++ b/bgpd/ChangeLog
@@ -7,6 +7,26 @@
(bgp_update_rsclient) Ignore REMOVED bgp_info for duplicate,
restore route instead.
(bgp_update_main) Ditto.
+ * bgp_attr.c: (general) Bug #354: parsing of MP_REACH_NLRI and
+ MP_UNREACH_NLRI does not take sufficient care to ensure reads
+ from stream buffer stay in-bounds. Hence bgpd may attempt to read
+ beyond end of stream, if given a crafted packet. As it uses the
+ stream access methods to do so, this will typically result in
+ assert() being hit in stream.c. Where code is compiled without
+ assert() enabled, result is unknown.
+ (struct message attr_str) should be static.
+ (bgp_mp_reach_parse) Carefully check length remaining in stream
+ against amount desired to read from stream, prior to each read,
+ particularly where lengths are conditional on data obtained from
+ stream - using STREAM_READABLE.
+ Remove code to parse SNPA-number, it's a defunct field and changed
+ to a fixed size in latest BGP MP update RFC - log warning if
+ SNPA-number is not 0.
+ (bgp_mp_unreach_parse) Check withdraw_length carefully against
+ STREAM_READABLE.
+ (bgp_attr_parse) If attribute-parser function returns error, log
+ warning.
+ Log attribute type on mismatch.
2007-04-07 Paul Jakma <paul.jakma@sun.com>