Headline
CVE-2023-46753: bgpd: A couple more bgpd crashes on malformed attributes by ton31337 · Pull Request #14645 · FRRouting/frr
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.
Expand Up @@ -3385,13 +3385,15 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args) }
/* Well-known attribute check. */ static int bgp_attr_check(struct peer *peer, struct attr *attr) static int bgp_attr_check(struct peer *peer, struct attr *attr, bgp_size_t length) { uint8_t type = 0;
/* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an * empty UPDATE. */ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && !length) return BGP_ATTR_PARSE_PROCEED;
/* "An UPDATE message that contains the MP_UNREACH_NLRI is not required Expand Down Expand Up @@ -3443,7 +3445,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, enum bgp_attr_parse_ret ret; uint8_t flag = 0; uint8_t type = 0; bgp_size_t length; bgp_size_t length = 0; uint8_t *startp, *endp; uint8_t *attr_endp; uint8_t seen[BGP_ATTR_BITMAP_SIZE]; Expand Down Expand Up @@ -3831,7 +3833,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, }
/* Check all mandatory well-known attributes are present */ ret = bgp_attr_check(peer, attr); ret = bgp_attr_check(peer, attr, length); if (ret < 0) goto done;
Expand Down
Related news
Ubuntu Security Notice 6482-1 - It was discovered that Quagga incorrectly handled certain BGP messages. A remote attacker could possibly use this issue to cause Quagga to crash, resulting in a denial of service.
Ubuntu Security Notice 6481-1 - It was discovered that FRR incorrectly handled certain malformed NLRI data. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service. It was discovered that FRR incorrectly handled certain BGP UPDATE messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.