Date: Mon, 04 May 2009 22:49:36 +0200 From: Florian Weimer <fw@...eb.enyo.de> To: oss-security@...ts.openwall.com Subject: Re: CVE request (sort of): Quagga BGP crasher * Florian Weimer: > * Jon Oberheide: > >> Looks like the Quagga code in bgp_aspath.c is assuming that converting >> each ASN of the AS path to a string will be 5 bytes plus a space >> (#define ASN_STR_LEN (5 + 1)). Therefore, it allocates (ASN_STR_LEN * >> the number of ASNs in the path segment) bytes to snprintf into when >> creating the pretty-print version of the AS path. > > Sure, this is the part I understand. It's not clear why this code is > hit when there isn't much logging going on. People have also run > "show ip bgp ROUTE" for paths with six-digit ASNs, with > supposedly-broken bgpd versions, and did not observe a crash. It seems that bgpd uses the textual representation of AS paths for hash-consing them. That's why the crash happens even without logging enabled.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ