Headline
CVE-2023-31489: bgpd: the length check of bgp_capability_llgr is not correct · Issue #13098 · FRRouting/frr
An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_capability_llgr() function.
Describe the bug
- Did you check if this is a duplicate issue?
- Did you test it on the latest FRRouting/frr master branch?
Hello, I have find a bug in bgp_capability_llgr that it length check is wrong. In the draft document it has 7 bytes as shown in the following figure.
The capability value consists of zero or more tuples <AFI, SAFI,
Flags, Long-lived Stale Time> as follows:
+--------------------------------------------------+
| Address Family Identifier (16 bits) |
+--------------------------------------------------+
| Subsequent Address Family Identifier (8 bits) |
+--------------------------------------------------+
| Flags for Address Family (8 bits) |
+--------------------------------------------------+
| Long-lived Stale Time (24 bits) |
+--------------------------------------------------+
While, in the code it only check 4 bytes.
while (stream_get_getp(s) + 4 <= end) {
afi_t afi;
safi_t safi;
iana_afi_t pkt_afi = stream_getw(s);
iana_safi_t pkt_safi = stream_getc(s);
uint8_t flags = stream_getc(s);
uint32_t stale_time = stream_get3(s);
}
To Reproduce
If I construct a packet only has 6 bytes of the llgr, the frrrouting will crash.
BGP: in thread bgp_process_packet scheduled from bgpd/bgp_io.c:269 bgp_process_reads()
core_handler: showing active allocations in memory group libfrr
core_handler: memstats: Buffer : 2 * 24
core_handler: memstats: Host config : 8 * (variably sized)
core_handler: memstats: Command Tokens : 12082 * 72
core_handler: memstats: Command Token Text : 8746 * (variably sized)
core_handler: memstats: Command Token Help : 8746 * (variably sized)
core_handler: memstats: Command Argument Name : 2052 * (variably sized)
core_handler: memstats: RCU thread : 2 * 128
core_handler: memstats: FRR POSIX Thread : 4 * (variably sized)
core_handler: memstats: POSIX sync primitives : 4 * (variably sized)
core_handler: memstats: Graph : 40 * 8
core_handler: memstats: Graph Node : 14266 * 32
core_handler: memstats: Hash : 573 * (variably sized)
core_handler: memstats: Hash Bucket : 2340 * 32
core_handler: memstats: Hash Index : 287 * (variably sized)
core_handler: memstats: Link List : 36 * 40
core_handler: memstats: Link Node : 334 * 24
core_handler: memstats: Temporary memory : 15 * (variably sized)
core_handler: memstats: Bitfield memory : 2 * (variably sized)
core_handler: memstats: Northbound Node : 240 * 1192
core_handler: memstats: Northbound Configuration : 2 * 16
core_handler: memstats: Privilege information : 3 * (variably sized)
core_handler: memstats: Ring buffer : 6 * (variably sized)
core_handler: memstats: Skip List : 2 * 56
core_handler: memstats: Skip Node : 2 * 160
core_handler: memstats: Skiplist Counters : 2 * 68
core_handler: memstats: Socket union : 2 * 112
core_handler: memstats: Stream : 12 * (variably sized)
core_handler: memstats: Stream FIFO : 6 * 64
core_handler: memstats: Route table : 100 * 56
core_handler: memstats: Thread : 15 * 160
core_handler: memstats: Thread master : 12 * (variably sized)
core_handler: memstats: Thread Poll Info : 6 * 8388608
core_handler: memstats: Thread stats : 18 * 96
core_handler: memstats: Typed-hash bucket : 5 * (variably sized)
core_handler: memstats: Typed-heap array : 1 * 576
core_handler: memstats: Vector : 28613 * 24
core_handler: memstats: Vector index : 28613 * (variably sized)
core_handler: memstats: VRF : 1 * 216
core_handler: memstats: VTY server : 3 * 32
core_handler: memstats: Work queue : 3 * 152
core_handler: memstats: Work queue name string : 3 * (variably sized)
core_handler: memstats: YANG module : 5 * 48
core_handler: memstats: Zclient : 2 * 3144
core_handler: memstats: Redistribution instance IDs : 6 * 2
core_handler: memstats: log thread-local buffer : 2 * 24608
core_handler: showing active allocations in memory group logging subsystem
core_handler: memstats: log file target : 2 * 88
core_handler: memstats: log file name : 1 * 14
core_handler: showing active allocations in memory group bgpd
core_handler: memstats: BGP instance : 2 * (variably sized)
core_handler: memstats: BGP listen socket details : 2 * 144
core_handler: memstats: BGP peer : 3 * 740824
core_handler: memstats: BGP peer hostname : 4 * (variably sized)
core_handler: memstats: BGP peer af : 2 * 80
core_handler: memstats: BGP attribute : 1 * 312
core_handler: memstats: BGP aspath : 1 * 40
core_handler: memstats: BGP aspath str : 1 * 1
core_handler: memstats: BGP table : 87 * 56
core_handler: memstats: BGP node : 2 * 192
core_handler: memstats: BGP route : 1 * 112
core_handler: memstats: BGP static : 1 * 144
core_handler: memstats: BGP synchronise : 63 * 72
core_handler: memstats: community-list handler : 1 * 120
core_handler: memstats: BGP nexthop : 1 * 184
core_handler: memstats: BGP EVPN MH Information : 1 * 56
core_handler: memstats: BGP PBR Context : 1 * 32
core_handler: memstats: BGP EVPN instance information : 1 * 56
core_handler: showing active allocations in memory group rfapi
core_handler: memstats: NVE Configuration : 1 * 2984
core_handler: memstats: RFAPI Generic : 1 * 296
core_handler: memstats: RFAPI Import Table : 1 * 208
Aborted (core dumped)
Expected behavior
Screenshots
Versions
OS Version:
Kernel:
FRR Version:
Additional context
Related news
Ubuntu Security Notice 6136-1 - It was discovered that FRR incorrectly handled parsing certain BGP messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service. This issue only affected Ubuntu 23.04. It was discovered that FRR incorrectly handled parsing certain BGP messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.