quagga/patches/002-Quagga-2018-0543.patch

   1 From cc2e6770697e343f4af534114ab7e633d5beabec Mon Sep 17 00:00:00 2001
   2 From: Paul Jakma <paul@jakma.org>
   3 Date: Wed, 3 Jan 2018 23:57:33 +0000
   4 Subject: bgpd/security: invalid attr length sends NOTIFY with data overrun
   5
   6 Security issue: Quagga-2018-0543
   7
   8 See: https://www.quagga.net/security/Quagga-2018-0543.txt
   9
  10 * bgpd/bgp_attr.c: (bgp_attr_parse) An invalid attribute length is correctly
  11   checked, and a NOTIFY prepared.  The NOTIFY can include the incorrect
  12   received data with the NOTIFY, for debug purposes.  Commit
  13   c69698704806a9ac5 modified the code to do that just, and also send the
  14   malformed attr with the NOTIFY.  However, the invalid attribute length was
  15   used as the length of the data to send back.
  16
  17   The result is a read past the end of data, which is then written to the
  18   NOTIFY message and sent to the peer.
  19
  20   A configured BGP peer can use this bug to read up to 64 KiB of memory from
  21   the bgpd process, or crash the process if the invalid read is caught by
  22   some means (unmapped page and SEGV, or other mechanism) resulting in a DoS.
  23
  24   This bug _ought_ /not/ be exploitable by anything other than the connected
  25   BGP peer, assuming the underlying TCP transport is secure.  For no BGP
  26   peer should send on an UPDATE with this attribute.  Quagga will not, as
  27   Quagga always validates the attr header length, regardless of type.
  28
  29   However, it is possible that there are BGP implementations that do not
  30   check lengths on some attributes (e.g.  optional/transitive ones of a type
  31   they do not recognise), and might pass such malformed attrs on.  If such
  32   implementations exists and are common, then this bug might be triggerable
  33   by BGP speakers further hops away.  Those peers will not receive the
  34   NOTIFY (unless they sit on a shared medium), however they might then be
  35   able to trigger a DoS.
  36
  37   Fix: use the valid bound to calculate the length.
  38
  39 --- a/bgpd/bgp_attr.c
  40 +++ b/bgpd/bgp_attr.c
  41 @@ -2079,6 +2079,8 @@ bgp_attr_parse (struct peer *peer, struc
  42    memset (seen, 0, BGP_ATTR_BITMAP_SIZE);
  43
  44    /* End pointer of BGP attribute. */
  45 +  assert (size <= stream_get_size (BGP_INPUT (peer)));
  46 +  assert (size <= stream_get_endp (BGP_INPUT (peer)));
  47    endp = BGP_INPUT_PNT (peer) + size;
  48
  49    /* Get attributes to the end of attribute length. */
  50 @@ -2160,7 +2162,7 @@ bgp_attr_parse (struct peer *peer, struc
  51            bgp_notify_send_with_data (peer,
  52                                       BGP_NOTIFY_UPDATE_ERR,
  53                                       BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
  54 -                                     startp, attr_endp - startp);
  55 +                                     startp, endp - startp);
  56           return BGP_ATTR_PARSE_ERROR;
  57         }
  58