Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 04 May 2009 22:49:36 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request (sort of): Quagga BGP crasher

* Florian Weimer:

> * Jon Oberheide:
>
>> Looks like the Quagga code in bgp_aspath.c is assuming that converting
>> each ASN of the AS path to a string will be 5 bytes plus a space
>> (#define ASN_STR_LEN (5 + 1)).  Therefore, it allocates (ASN_STR_LEN *
>> the number of ASNs in the path segment) bytes to snprintf into when
>> creating the pretty-print version of the AS path.
>
> Sure, this is the part I understand.  It's not clear why this code is
> hit when there isn't much logging going on.  People have also run
> "show ip bgp ROUTE" for paths with six-digit ASNs, with
> supposedly-broken bgpd versions, and did not observe a crash.

It seems that bgpd uses the textual representation of AS paths for
hash-consing them.  That's why the crash happens even without logging
enabled.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ