CVE-2023-31490: bgpd: Missing length check in bgp_attr_psid_sub about BGP_PREFIX_SID_SRV6_L3_SERVICE · Issue #13099 · FRRouting/frr

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Comments

Describe the bug

• Did you check if this is a duplicate issue?
• Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp_attr_psid_sub, there is a missing check of the type = BGP_PREFIX_SID_SRV6_L3_SERVICE when using stream_getc to get reseverd field.

/* Placeholder code for the SRv6 L3 Service type */
else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
    if (STREAM_READABLE(peer->curr) < length) {
        flog_err(
            EC_BGP_ATTR_LEN,
            "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
            length, STREAM_READABLE(peer->curr));
        return bgp_attr_malformed(args,
             BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
             args->total);
    }

    /* ignore reserved */
    stream_getc(peer->curr);

To Reproduce

When I construct a psid_sub TLV, Type = 5 and Length = 0, Frrouting will crash.
Expected behavior

Screenshots

Versions

• OS Version:

• Kernel:

• FRR Version:

Additional context

I pushed a PR for this back in December but it’s been stalled due to me being busy with some other stuff
#12454

I’ll get back to it today and get this in

Describe the bug

• Did you check if this is a duplicate issue?
• Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp_attr_psid_sub, there is a missing check of the type = BGP_PREFIX_SID_SRV6_L3_SERVICE when using stream_getc to get reseverd field.

/* Placeholder code for the SRv6 L3 Service type */
else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
  if (STREAM_READABLE(peer->curr) < length) {
      flog_err(
          EC_BGP_ATTR_LEN,
          "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
          length, STREAM_READABLE(peer->curr));
      return bgp_attr_malformed(args,
           BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
           args->total);
  }

  /* ignore reserved */
  stream_getc(peer->curr);

To Reproduce

When I construct a psid_sub TLV, Type = 5 and Length = 0, Frrouting will crash. Expected behavior

Screenshots

Versions

• OS Version:

• Kernel:

• FRR Version:

Additional context

Hi Melissa,

Could you please share with us on how to construct a message that can reproduce this crash?

I tried to use scappy but I’m not sure how to construct such a message.

Thank you!

can you share the PoC and the bgp configuration? thanks!

halstead pushed a commit to openembedded/meta-openembedded that referenced this issue

Jul 31, 2023

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

References: https://nvd.nist.gov/vuln/detail/CVE-2023-31490 FRRouting/frr#13099

Signed-off-by: Narpat Mali [email protected] [Fixup so patch would apply] Signed-off-by: Armin Kuster [email protected]

jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/meta-openembedded that referenced this issue

Aug 9, 2023

Source: meta-openembedded MR: 127624 Type: Integration Disposition: Merged from meta-openembedded ChangeID: 8ab74be Description:

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

References: https://nvd.nist.gov/vuln/detail/CVE-2023-31490 FRRouting/frr#13099

Signed-off-by: Narpat Mali [email protected] [Fixup so patch would apply] Signed-off-by: Armin Kuster [email protected] Signed-off-by: Jeremy A. Puhlman [email protected]