oss-sec mailing list archives
Re: CVE request (sort of): Quagga BGP crasher
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 01 May 2009 22:03:35 +0200
* Jon Oberheide:
Looks like the Quagga code in bgp_aspath.c is assuming that converting each ASN of the AS path to a string will be 5 bytes plus a space (#define ASN_STR_LEN (5 + 1)). Therefore, it allocates (ASN_STR_LEN * the number of ASNs in the path segment) bytes to snprintf into when creating the pretty-print version of the AS path.
Sure, this is the part I understand. It's not clear why this code is hit when there isn't much logging going on. People have also run "show ip bgp ROUTE" for paths with six-digit ASNs, with supposedly-broken bgpd versions, and did not observe a crash.
Current thread:
- CVE request (sort of): Quagga BGP crasher Florian Weimer (May 01)
- Re: CVE request (sort of): Quagga BGP crasher Jon Oberheide (May 01)
- Re: CVE request (sort of): Quagga BGP crasher Florian Weimer (May 01)
- Re: CVE request (sort of): Quagga BGP crasher Florian Weimer (May 04)
- Re: CVE request (sort of): Quagga BGP crasher Florian Weimer (May 01)
- Re: CVE request (sort of): Quagga BGP crasher Steven M. Christey (May 06)
- Re: CVE request (sort of): Quagga BGP crasher Jon Oberheide (May 01)