Headline
CVE-2023-46752: bgpd: A couple more bgpd crashes on malformed attributes by ton31337 · Pull Request #14645 · FRRouting/frr
An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash.
Avoid crashing bgpd.
``` (gdb) bgp_mp_reach_parse (args=<optimized out>, mp_update=0x7fffffffe140) at bgpd/bgp_attr.c:2341 2341 stream_get(&attr->mp_nexthop_global, s, IPV6_MAX_BYTELEN); (gdb) stream_get (dst=0x7fffffffe1ac, s=0x7ffff0006e80, size=16) at lib/stream.c:320 320 { (gdb) 321 STREAM_VERIFY_SANE(s); (gdb) 323 if (STREAM_READABLE(s) < size) { (gdb) 34 return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest)); (gdb)
Thread 1 “bgpd” received signal SIGSEGV, Segmentation fault. 0x00005555556e37be in route_set_aspath_prepend (rule=0x555555aac0d0, prefix=0x7fffffffe050, object=0x7fffffffdb00) at bgpd/bgp_routemap.c:2282 2282 if (path->attr->aspath->refcnt) (gdb) ```
With the configuration:
``` neighbor 127.0.0.1 remote-as external neighbor 127.0.0.1 passive neighbor 127.0.0.1 ebgp-multihop neighbor 127.0.0.1 disable-connected-check neighbor 127.0.0.1 update-source 127.0.0.2 neighbor 127.0.0.1 timers 3 90 neighbor 127.0.0.1 timers connect 1 address-family ipv4 unicast redistribute connected neighbor 127.0.0.1 default-originate neighbor 127.0.0.1 route-map RM_IN in exit-address-family ! route-map RM_IN permit 10 set as-path prepend 200 exit ```
Reported-by: Iggy Frankovic [email protected] Signed-off-by: Donatas Abraitis [email protected]
Related news
Ubuntu Security Notice 6481-1 - It was discovered that FRR incorrectly handled certain malformed NLRI data. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service. It was discovered that FRR incorrectly handled certain BGP UPDATE messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.