[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Fri, 01 May 2009 06:48:43 -0400
From: Jon Oberheide <jon@...rheide.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request (sort of): Quagga BGP crasher
Florian,
On Fri, 2009-05-01 at 11:02 +0200, Florian Weimer wrote:
> There's a crasher bug in Quagga's bgpd which can allegedly be
> triggered by routes present in the global table. See:
>
> <http://thread.gmane.org/gmane.network.quagga.devel/6513>
>
> I think we need a CVE for that, but I don't understand the problem yet
> (and I can't reproduce it), so I can't come up with a concise
> vulnerability description.
Looks like the Quagga code in bgp_aspath.c is assuming that converting
each ASN of the AS path to a string will be 5 bytes plus a space
(#define ASN_STR_LEN (5 + 1)). Therefore, it allocates (ASN_STR_LEN *
the number of ASNs in the path segment) bytes to snprintf into when
creating the pretty-print version of the AS path.
This is all fine and dandy until we hit an AS path with 32-bit ASNs
whose string representation can of course be longer than 5 bytes. The
len += snprintf()'s will return more bytes written than expected and
then we'll hit our assert since we've written more bytes than originally
allocated (str_size).
Have you tried reproducing it with an AS path containing 32-bit ASNs (of
value at least 100000)?
Regards,
Jon Oberheide
--
Jon Oberheide <jon@...rheide.org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ