summaryrefslogtreecommitdiff
path: root/bgpd
diff options
context:
space:
mode:
authorCROSS <info@codenomicon.com>2011-09-26 13:17:05 +0400
committerDenis Ovsienko <infrastation@yandex.ru>2011-09-26 18:39:37 +0400
commita1afbc6e1d56b06409de5e8d7d984d565817fd96 (patch)
treea45dfa998baab938e8373950b7bf4c7af60f6dc1 /bgpd
parent3eca6f099d5a3aac0b66dfbf98fd8be84ea426b7 (diff)
bgpd: CVE-2011-3327 (ext. comm. buffer overflow)
This vulnerability (CERT-FI #513254) was reported by CROSS project. They have also suggested a fix to the problem, which was found acceptable. The problem occurs when bgpd receives an UPDATE message containing 255 unknown AS_PATH attributes in Path Attribute Extended Communities. This causes a buffer overlow in bgpd. * bgp_ecommunity.c * ecommunity_ecom2str(): perform size check earlier
Diffstat (limited to 'bgpd')
-rw-r--r--bgpd/bgp_ecommunity.c14
1 files changed, 7 insertions, 7 deletions
diff --git a/bgpd/bgp_ecommunity.c b/bgpd/bgp_ecommunity.c
index 8d5fa741..e7eb0a07 100644
--- a/bgpd/bgp_ecommunity.c
+++ b/bgpd/bgp_ecommunity.c
@@ -619,6 +619,13 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format)
for (i = 0; i < ecom->size; i++)
{
+ /* Make it sure size is enough. */
+ while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size)
+ {
+ str_size *= 2;
+ str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size);
+ }
+
/* Space between each value. */
if (! first)
str_buf[str_pnt++] = ' ';
@@ -662,13 +669,6 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format)
break;
}
- /* Make it sure size is enough. */
- while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size)
- {
- str_size *= 2;
- str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size);
- }
-
/* Put string into buffer. */
if (encode == ECOMMUNITY_ENCODE_AS4)
{