oss-sec mailing list archives
Re: CVE request (sort of): Quagga BGP crasher
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 04 May 2009 22:49:36 +0200
* Florian Weimer:
* Jon Oberheide:Looks like the Quagga code in bgp_aspath.c is assuming that converting each ASN of the AS path to a string will be 5 bytes plus a space (#define ASN_STR_LEN (5 + 1)). Therefore, it allocates (ASN_STR_LEN * the number of ASNs in the path segment) bytes to snprintf into when creating the pretty-print version of the AS path.Sure, this is the part I understand. It's not clear why this code is hit when there isn't much logging going on. People have also run "show ip bgp ROUTE" for paths with six-digit ASNs, with supposedly-broken bgpd versions, and did not observe a crash.
It seems that bgpd uses the textual representation of AS paths for hash-consing them. That's why the crash happens even without logging enabled.
Current thread:
- CVE request (sort of): Quagga BGP crasher Florian Weimer (May 01)
- Re: CVE request (sort of): Quagga BGP crasher Jon Oberheide (May 01)
- Re: CVE request (sort of): Quagga BGP crasher Florian Weimer (May 01)
- Re: CVE request (sort of): Quagga BGP crasher Florian Weimer (May 04)
- Re: CVE request (sort of): Quagga BGP crasher Florian Weimer (May 01)
- Re: CVE request (sort of): Quagga BGP crasher Steven M. Christey (May 06)
- Re: CVE request (sort of): Quagga BGP crasher Jon Oberheide (May 01)