Skip to content

Commit 5a5646b

Browse files
fennerfxlb
fenner
authored and
fxlb
committed
Bgp: Fix an undefined behavior when it tries to parse a too-short packet
It's not enough for the *packet* to be able to contain the RD; the route data also has to be long enough; otherwise, we will try to shift a negative length left in order to pass it to bgp_vpn_ip_print() print-bgp.c:1848:9: runtime error: left shift of negative value -8 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior print-bgp.c:1848:9 [Part of the PR #1012]
1 parent dbca207 commit 5a5646b

File tree

4 files changed

+230
-0
lines changed

4 files changed

+230
-0
lines changed

print-bgp.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1268,6 +1268,8 @@ decode_multicast_vpn(netdissect_options *ndo,
12681268
switch(route_type) {
12691269
case BGP_MULTICAST_VPN_ROUTE_TYPE_INTRA_AS_I_PMSI:
12701270
ND_TCHECK_LEN(pptr, BGP_VPN_RD_LEN);
1271+
if (route_length < BGP_VPN_RD_LEN)
1272+
goto trunc;
12711273
offset = (u_int)strlen(buf);
12721274
snprintf(buf + offset, buflen - offset, ", RD: %s, Originator %s",
12731275
bgp_vpn_rd_print(ndo, pptr),

tests/TESTLIST

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -930,3 +930,4 @@ ip-snmp-leftshift-unsigned ip-snmp-leftshift-unsigned.pcap ip-snmp-leftshift-uns
930930
ip6-snmp-oid-unsigned ip6-snmp-oid-unsigned.pcap ip6-snmp-oid-unsigned.out
931931
lwres-pointer-arithmetic-ub lwres-pointer-arithmetic-ub.pcap lwres-pointer-arithmetic-ub.out
932932
ospf-signed-integer-ubsan ospf-signed-integer-ubsan.pcap ospf-signed-integer-ubsan.out -vv
933+
bgp-ub bgp-ub.pcap bgp-ub.out -v

tests/bgp-ub.out

Lines changed: 227 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,227 @@
1+
1 13:29:37.678220 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 4748)
2+
127.0.0.1.540 > 127.0.0.1.179: Flags [S], cksum 0xf1a8 (correct), seq 0:4708, win 8192, length 4708: BGP [|bgp]
3+
Update Message (2), length: 154
4+
Origin (1), length: 1, Flags [T]: Incomplete
5+
AS Path (2), length: 0, Flags [T]: empty
6+
Multi Exit Discriminator (4), length: 4, Flags [O]: 0
7+
Local Preference (5), length: 4, Flags [T]: 4456548
8+
Extended Community (16), length: 8, Flags [OT]:
9+
target (0x0002), Flags [none]: 18826:630 (= 0.0.2.118)
10+
Cluster List (10), length: 4, Flags [O]: 172.17.0.0
11+
Originator ID (9), length: 4, Flags [O]: 172.17.0.5
12+
Multi-Protocol Reach NLRI (14), length: 81, Flags [OE]:
13+
AFI: IPv4 (1), SAFI: labeled VPN Unicast (128)
14+
nexthop: RD: 0:0 (= 0.0.0.0), 172.145.0.5, nh-length: 12, no SNPA
15+
RD: 18826:630 (= 0.0.2.118), 172.17.30.208/28, label:1027 (bottom)
16+
RD: 18826:630 (= 0.0.2.118), 172.17.30.224/28, label:1027 (bottom)
17+
(illegal prefix length)
18+
Update Message (2), length: 105
19+
Origin (1), length: 1, Flags [T]: Incomplete
20+
AS Path (2), length: 0, Flags [T]: empty
21+
Multi Exit Discriminator (4), length: 4, Flags [O]: 0
22+
Local Preference (5), length: 4, Flags [T]: 100
23+
Extended Community (16), length: 8, Flags [OT]:
24+
target (0x0002), Flags [none]: 18826:620 (= 0.0.2.108)
25+
Cluster List (10), length: 37, Flags [O]: invalid len
26+
Unknown Attribute (73), length: 138 [path attrs too short]
27+
Update Message (2), length: 154
28+
Origin (1), length: 1, Flags [T]: Incomplete
29+
AS Path (2), length: 0, Flags [T]: empty
30+
Multi Exit Discriminator (4), length: 4, Flags [O]: 0
31+
Local Preference (5), length: 4, Flags [T]: 100
32+
Extended Community (16), length: 8, Flags [OT]:
33+
target (0x0002), Flags [none]: 18826:640 (= 0.0.2.128)
34+
Cluster List (10), length: 4, Flags [O]: 172.17.0.0
35+
Originator ID (9), length: 4, Flags [O]: 172.17.0.5
36+
Multi-Protocol Reach NLRI (14), length: 81, Flags [OE]:
37+
AFI: IPv4 (1), SAFI: labeled VPN Unicast (128)
38+
nexthop: RD: 0:0 (= 0.0.0.0), 172.17.0.5, nh-length: 12, no SNPA
39+
RD: 18826:640 (= 0.0.2.128), 172.17.33.64/28, label:1028 (bottom)
40+
RD: 18826:640 (= 0.0.2.128), 172.17.33.80/28, label:1028 (bottom)
41+
RD: 18826:640 (= 0.0.2.128), 172.84.34.0/28, label:132100 (bottom)
42+
RD: 18826:549 (= 0.0.2.37), 0.17.34.16/28, label:1028 (bottom)
43+
Update Message (2), length: 202
44+
Withdrawn routes:
45+
0.0.0.0/0
46+
(illegal prefix length) [|bgp] [|bgp]
47+
Update Message (2), length: 106
48+
Origin (1), length: 1, Flags [T]: Incomplete
49+
AS Path (2), length: 0, Flags [T]: empty
50+
Attribute Set (128), length: 3, Flags [O]: [|bgp] [|bgp]
51+
Update Message (2), length: 172
52+
Origin (1), length: 1, Flags [T]: Incomplete
53+
AS Path (2), length: 4, Flags [T]: 64520
54+
Multi Exit Discriminator (4), length: 4, Flags [O]: 131
55+
Unknown Attribute (113), length: 16, Flags [T]:
56+
no Attribute 113 decoder
57+
0x0000: ffff ffff ffff ffff ffff ffff ffff ffff
58+
Unknown Attribute (75), length: 2
59+
no Attribute 75 decoder
60+
0x0000: 0000
61+
Unknown Attribute (47), length: 64
62+
no Attribute 47 decoder
63+
0x0000: 0101 0040 0206 0201 0001 0000 4003 04c0
64+
0x0010: 0002 02c0 2018 0001 0000 0000 0001 0000
65+
0x0020: 0001 0001 0000 0000 0001 0000 0002 20cb
66+
0x0030: 0071 0cff ffff ffff ffff ffff ffff ffff
67+
Reserved for development (255), length: 65280, Flags [OTPE+f]: [path attrs too short] [|bgp]
68+
Update Message (2), length: 75
69+
Origin (1), length: 1, Flags [T]: IGP
70+
AS Path (2), length: 6, Flags [T]: 65536
71+
Next Hop (3), length: 4, Flags [T]: 192.0.2.2
72+
Large Community (32), length: 24, Flags [OT]:
73+
65536:0:1, 65536:1:0
74+
Updated routes:
75+
203.0.113.15/32
76+
Update Message (2), length: 87
77+
Origin (1), length: 1, Flags [T]: IGP
78+
AS Path (2), length: 6, Flags [T]: 65536
79+
Next Hop (3), length: 4, Flags [T]: 5.12.0.0
80+
Unknown Attribute (100), length: 192, Flags [+1]: [path attrs too short]
81+
Updated routes:
82+
0.0.0.0/0
83+
(illegal prefix length) [|bgp]
84+
Update Message (2), length: 105
85+
Origin (1), length: 1, Flags [T]: Incomplete
86+
AS Path (2), length: 0, Flags [T]: empty
87+
Multi Exit Discriminator (4), length: 4, Flags [O]: 0
88+
Local Preference (5), length: 4, Flags [T]: 100
89+
Extended Community (16), length: 8, Flags [OT]:
90+
target (0x0002), Flags [none]: 18826:620 (= 0.0.2.108)
91+
Cluster List (10), length: 37, Flags [O]: invalid len
92+
Unknown Attribute (73), length: 138 [path attrs too short]
93+
Update Message (2), length: 154
94+
Origin (1), length: 1, Flags [T]: Incomplete
95+
AS Path (2), length: 0, Flags [T]: empty
96+
Multi Exit Discriminator (4), length: 4, Flags [O]: 0
97+
Local Preference (5), length: 4, Flags [T]: 100
98+
Extended Community (16), length: 8, Flags [OT]:
99+
target (0x0002), Flags [none]: 18826:640 (= 0.0.2.128)
100+
Cluster List (10), length: 4, Flags [O]: 172.17.0.0
101+
Originator ID (9), length: 4, Flags [O]: 172.17.0.5
102+
Multi-Protocol Reach NLRI (14), length: 81, Flags [OE]:
103+
AFI: IPv4 (1), SAFI: labeled VPN Unicast (128)
104+
nexthop: RD: 0:0 (= 0.0.0.0), 172.17.0.5, nh-length: 12, no SNPA
105+
RD: 18826:640 (= 0.0.2.128), 172.17.33.64/28, label:1028 (bottom)
106+
RD: 18826:640 (= 0.0.2.128), 172.17.33.80/28, label:1028 (bottom)
107+
RD: 18826:640 (= 0.0.2.128), 172.84.34.0/28, label:132100 (bottom)
108+
RD: 18826:549 (= 0.0.2.37), 0.17.34.16/28, label:1028 (bottom)
109+
Update Message (2), length: 202
110+
Withdrawn routes:
111+
0.0.0.0/0
112+
(illegal prefix length) [|bgp] [|bgp]
113+
Update Message (2), length: 106
114+
Origin (1), length: 1, Flags [T]: Incomplete
115+
AS Path (2), length: 0, Flags [T]: empty
116+
Attribute Set (128), length: 3, Flags [O]: [|bgp] [|bgp]
117+
Update Message (2), length: 172
118+
Origin (1), length: 1, Flags [T]: Incomplete
119+
AS Path (2), length: 4, Flags [T]: 64520
120+
Multi Exit Discriminator (4), length: 4, Flags [O]: 131
121+
Unknown Attribute (113), length: 16, Flags [T]:
122+
no Attribute 113 decoder
123+
0x0000: ffff ffff ffff ffff ffff ffff ffff ffff
124+
Unknown Attribute (75), length: 2
125+
no Attribute 75 decoder
126+
0x0000: 0000
127+
Unknown Attribute (47), length: 64
128+
no Attribute 47 decoder
129+
0x0000: 0101 0040 0206 0201 0001 0000 4003 04c0
130+
0x0010: 0002 02c0 2018 0001 0000 0000 0001 0000
131+
0x0020: 0001 0001 0000 0000 0001 0000 0002 20cb
132+
0x0030: 0071 0cff ffff ffff ffff ffff ffff ffff
133+
Reserved for development (255), length: 65280, Flags [OTPE+f]: [path attrs too short] [|bgp]
134+
Update Message (2), length: 75
135+
Origin (1), length: 1, Flags [T]: IGP
136+
AS Path (2), length: 6, Flags [T]: 65536
137+
Next Hop (3), length: 4, Flags [T]: 192.0.2.2
138+
Large Community (32), length: 24, Flags [OT]:
139+
65536:0:1, 65536:1:0
140+
Updated routes:
141+
203.0.113.15/32
142+
Update Message (2), length: 87
143+
Origin (1), length: 1, Flags [T]: IGP
144+
AS Path (2), length: 6, Flags [T]: 65536
145+
Next Hop (3), length: 4, Flags [T]: 5.12.0.0
146+
Unknown Attribute (100), length: 192, Flags [+1]: [path attrs too short]
147+
Updated routes:
148+
0.0.0.0/0
149+
(illegal prefix length) [|bgp]
150+
Update Message (2), length: 106
151+
Origin (1), length: 1, Flags [T]: Incomplete
152+
AS Path (2), length: 0, Flags [T]: empty
153+
Multi Exit Discriminator (4), length: 4, Flags [O]: 0
154+
Local Preference (5), length: 4, Flags [T]: 100
155+
Extended Community (16), length: 8, Flags [OT]:
156+
target (0x0002), Flags [none]: 18826:610 (= 0.0.2.98)
157+
Cluster List (10), length: 40, Flags [O]: 24.120.4.0, 0.0.0.41, 24.120.4.1, 64.15.19.0, 1.1.0.0, 2.188.24.32, 45.0.0.0, 2.189.24.32, 45.1.64.14, 61.0.2.1
158+
Large Community (32), length: 0, Flags [E]: invalid len
159+
Unknown Attribute (21), length: 24 [path attrs too short] [|bgp]
160+
Update Message (2), length: 100
161+
Unknown Attribute (0), length: 0
162+
no Attribute 0 decoder
163+
Reserved for development (255), length: 255 [path attrs too short] [|bgp]
164+
Update Message (2), length: 95
165+
Origin (1), length: 1, Flags [T]: IGP
166+
AS Path (2), length: 0, Flags [T]: empty
167+
Local Preference (5), length: 4, Flags [T]: 100
168+
Extended Community (16), length: 8, Flags [OT]:
169+
target (0x0002), Flags [none]: 1:1 (= 0.0.0.1)
170+
PMSI Tunnel (22), length: 17, Flags [OT]:
171+
Tunnel-type RSVP-TE P2MP LSP (1), Flags [none], MPLS Label 0
172+
Extended-Tunnel-ID 10.0.0.4, P2MP-ID 0x00008173
173+
Multi-Protocol Reach NLRI (14), length: 23, Flags [OE]:
174+
AFI: IPv4 (1), SAFI: Multicast VPN (5)
175+
nexthop: 10.0.0.4, nh-length: 4
176+
8 SNPA
177+
1 bytes
178+
0 bytes
179+
0 bytes
180+
0 bytes
181+
1 bytes
182+
0 bytes
183+
1 bytes
184+
0 bytes
185+
Route-Type: Unknown (181), length: 0 [|bgp] [|bgp]
186+
Update Message (2), length: 106
187+
Origin (1), length: 1, Flags [T]: Incomplete
188+
AS Path (2), length: 0, Flags [T]: empty
189+
Multi Exit Discriminator (4), length: 4, Flags [O]: 0
190+
Local Preference (5), length: 4, Flags [T]: 100
191+
Extended Community (16), length: 8, Flags [OT]:
192+
target (0x0002), Flags [none]: 18826:610 (= 0.0.2.98)
193+
Cluster List (10), length: 40, Flags [O]: 24.120.4.0, 0.0.0.41, 24.120.4.1, 64.15.19.0, 1.1.0.0, 2.188.24.32, 45.0.0.0, 2.189.24.32, 45.1.64.14, 61.0.2.1
194+
Large Community (32), length: 0, Flags [E]: invalid len
195+
Unknown Attribute (21), length: 24 [path attrs too short] [|bgp]
196+
Update Message (2), length: 100
197+
Unknown Attribute (0), length: 0
198+
no Attribute 0 decoder
199+
Reserved for development (255), length: 255 [path attrs too short] [|bgp]
200+
Update Message (2), length: 95
201+
Origin (1), length: 1, Flags [T]: IGP
202+
AS Path (2), length: 0, Flags [T]: empty
203+
Local Preference (5), length: 4, Flags [T]: 100
204+
Extended Community (16), length: 8, Flags [OT]:
205+
target (0x0002), Flags [none]: 1:1 (= 0.0.0.1)
206+
PMSI Tunnel (22), length: 17, Flags [OT]:
207+
Tunnel-type RSVP-TE P2MP LSP (1), Flags [none], MPLS Label 0
208+
Extended-Tunnel-ID 10.0.0.4, P2MP-ID 0x00008173
209+
Multi-Protocol Reach NLRI (14), length: 23, Flags [OE]:
210+
AFI: IPv4 (1), SAFI: Multicast VPN (5)
211+
nexthop: 10.0.0.4, nh-length: 4
212+
8 SNPA
213+
1 bytes
214+
0 bytes
215+
0 bytes
216+
0 bytes
217+
1 bytes
218+
0 bytes
219+
0 bytes
220+
1 bytes
221+
Route-Type: Unknown (0), length: 0
222+
Route-Type: Intra-AS Segment-Leaf (4), length: 255
223+
Update Message (2), length: 30
224+
Multi-Protocol Unreach NLRI (15), length: 3, Flags [OE]:
225+
AFI: IPv4 (1), SAFI: labeled VPN Unicast (128)
226+
End-of-Rib Marker (empty NLRI)
227+
[|BGP Unknown Message Type]

tests/bgp-ub.pcap

4.69 KB
Binary file not shown.

0 commit comments

Comments
 (0)