From a1afbc6e1d56b06409de5e8d7d984d565817fd96 Mon Sep 17 00:00:00 2001 From: CROSS Date: Mon, 26 Sep 2011 13:17:05 +0400 Subject: bgpd: CVE-2011-3327 (ext. comm. buffer overflow) This vulnerability (CERT-FI #513254) was reported by CROSS project. They have also suggested a fix to the problem, which was found acceptable. The problem occurs when bgpd receives an UPDATE message containing 255 unknown AS_PATH attributes in Path Attribute Extended Communities. This causes a buffer overlow in bgpd. * bgp_ecommunity.c * ecommunity_ecom2str(): perform size check earlier --- bgpd/bgp_ecommunity.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/bgpd/bgp_ecommunity.c b/bgpd/bgp_ecommunity.c index 8d5fa741..e7eb0a07 100644 --- a/bgpd/bgp_ecommunity.c +++ b/bgpd/bgp_ecommunity.c @@ -619,6 +619,13 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format) for (i = 0; i < ecom->size; i++) { + /* Make it sure size is enough. */ + while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size) + { + str_size *= 2; + str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size); + } + /* Space between each value. */ if (! first) str_buf[str_pnt++] = ' '; @@ -662,13 +669,6 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format) break; } - /* Make it sure size is enough. */ - while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size) - { - str_size *= 2; - str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size); - } - /* Put string into buffer. */ if (encode == ECOMMUNITY_ENCODE_AS4) { -- cgit v1.2.1