kumquat-buildroot/package/quagga/0005-bgpd-security-invalid-attr-length-sends-NOTIFY-with-.patch
Peter Korsgaard 157a198d30 quagga: add upstream security fixes
Fixes the following security issues:

CVE-2018-5378

    It was discovered that the Quagga BGP daemon, bgpd, does not
    properly bounds check data sent with a NOTIFY to a peer, if an
    attribute length is invalid. A configured BGP peer can take
    advantage of this bug to read memory from the bgpd process or cause
    a denial of service (daemon crash).

    https://www.quagga.net/security/Quagga-2018-0543.txt

CVE-2018-5379

    It was discovered that the Quagga BGP daemon, bgpd, can double-free
    memory when processing certain forms of UPDATE message, containing
    cluster-list and/or unknown attributes, resulting in a denial of
    service (bgpd daemon crash).

    https://www.quagga.net/security/Quagga-2018-1114.txt

CVE-2018-5380

    It was discovered that the Quagga BGP daemon, bgpd, does not
    properly handle internal BGP code-to-string conversion tables.

    https://www.quagga.net/security/Quagga-2018-1550.txt

CVE-2018-5381

    It was discovered that the Quagga BGP daemon, bgpd, can enter an
    infinite loop if sent an invalid OPEN message by a configured peer.
    A configured peer can take advantage of this flaw to cause a denial
    of service (bgpd daemon not responding to any other events; BGP
    sessions will drop and not be reestablished; unresponsive CLI
    interface).

    https://www.quagga.net/security/Quagga-2018-1975.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-02-19 23:48:35 +01:00

70 lines
2.9 KiB
Diff

From cc2e6770697e343f4af534114ab7e633d5beabec Mon Sep 17 00:00:00 2001
From: Paul Jakma <paul@jakma.org>
Date: Wed, 3 Jan 2018 23:57:33 +0000
Subject: [PATCH] bgpd/security: invalid attr length sends NOTIFY with data
overrun
Security issue: Quagga-2018-0543
See: https://www.quagga.net/security/Quagga-2018-0543.txt
* bgpd/bgp_attr.c: (bgp_attr_parse) An invalid attribute length is correctly
checked, and a NOTIFY prepared. The NOTIFY can include the incorrect
received data with the NOTIFY, for debug purposes. Commit
c69698704806a9ac5 modified the code to do that just, and also send the
malformed attr with the NOTIFY. However, the invalid attribute length was
used as the length of the data to send back.
The result is a read past the end of data, which is then written to the
NOTIFY message and sent to the peer.
A configured BGP peer can use this bug to read up to 64 KiB of memory from
the bgpd process, or crash the process if the invalid read is caught by
some means (unmapped page and SEGV, or other mechanism) resulting in a DoS.
This bug _ought_ /not/ be exploitable by anything other than the connected
BGP peer, assuming the underlying TCP transport is secure. For no BGP
peer should send on an UPDATE with this attribute. Quagga will not, as
Quagga always validates the attr header length, regardless of type.
However, it is possible that there are BGP implementations that do not
check lengths on some attributes (e.g. optional/transitive ones of a type
they do not recognise), and might pass such malformed attrs on. If such
implementations exists and are common, then this bug might be triggerable
by BGP speakers further hops away. Those peers will not receive the
NOTIFY (unless they sit on a shared medium), however they might then be
able to trigger a DoS.
Fix: use the valid bound to calculate the length.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
bgpd/bgp_attr.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index ef58beb1..9564637e 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2147,6 +2147,8 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size,
memset (seen, 0, BGP_ATTR_BITMAP_SIZE);
/* End pointer of BGP attribute. */
+ assert (size <= stream_get_size (BGP_INPUT (peer)));
+ assert (size <= stream_get_endp (BGP_INPUT (peer)));
endp = BGP_INPUT_PNT (peer) + size;
/* Get attributes to the end of attribute length. */
@@ -2228,7 +2230,7 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size,
bgp_notify_send_with_data (peer,
BGP_NOTIFY_UPDATE_ERR,
BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
- startp, attr_endp - startp);
+ startp, endp - startp);
return BGP_ATTR_PARSE_ERROR;
}
--
2.11.0