|
|
ba3a7a2 |
From 9e5251151894aefdf8e9392a2371615222119ad8 Mon Sep 17 00:00:00 2001
|
|
|
ba3a7a2 |
From: Paul Jakma <paul@jakma.org>
|
|
|
ba3a7a2 |
Date: Sat, 6 Jan 2018 22:31:52 +0000
|
|
|
ba3a7a2 |
Subject: [PATCH] bgpd/security: debug print of received NOTIFY data can
|
|
|
ba3a7a2 |
over-read msg array
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
Security issue: Quagga-2018-1550
|
|
|
ba3a7a2 |
See: https://www.quagga.net/security/Quagga-2018-1550.txt
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
* bgpd/bgp_debug.c: (struct message) Nearly every one of the NOTIFY
|
|
|
ba3a7a2 |
code/subcode message arrays has their corresponding size variables off
|
|
|
ba3a7a2 |
by one, as most have 1 as first index.
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
This means (bgp_notify_print) can cause mes_lookup to overread the (struct
|
|
|
ba3a7a2 |
message) by 1 pointer value if given an unknown index.
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
Fix the bgp_notify_..._msg_max variables to use the compiler to calculate
|
|
|
ba3a7a2 |
the correct sizes.
|
|
|
ba3a7a2 |
---
|
|
|
ba3a7a2 |
bgpd/bgp_debug.c | 21 ++++++++++++---------
|
|
|
ba3a7a2 |
1 file changed, 12 insertions(+), 9 deletions(-)
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
diff --git a/bgpd/bgp_debug.c b/bgpd/bgp_debug.c
|
|
|
ba3a7a2 |
index ba797228..43faee7c 100644
|
|
|
ba3a7a2 |
--- a/bgpd/bgp_debug.c
|
|
|
ba3a7a2 |
+++ b/bgpd/bgp_debug.c
|
|
|
ba3a7a2 |
@@ -29,6 +29,7 @@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
|
|
|
ba3a7a2 |
#include "log.h"
|
|
|
ba3a7a2 |
#include "sockunion.h"
|
|
|
ba3a7a2 |
#include "filter.h"
|
|
|
ba3a7a2 |
+#include "memory.h"
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
#include "bgpd/bgpd.h"
|
|
|
ba3a7a2 |
#include "bgpd/bgp_aspath.h"
|
|
|
ba3a7a2 |
@@ -73,7 +74,8 @@ const struct message bgp_status_msg[] =
|
|
|
ba3a7a2 |
{ Clearing, "Clearing" },
|
|
|
ba3a7a2 |
{ Deleted, "Deleted" },
|
|
|
ba3a7a2 |
};
|
|
|
ba3a7a2 |
-const int bgp_status_msg_max = BGP_STATUS_MAX;
|
|
|
ba3a7a2 |
+#define BGP_DEBUG_MSG_MAX(msg) const int msg ## _max = array_size (msg)
|
|
|
ba3a7a2 |
+BGP_DEBUG_MSG_MAX (bgp_status_msg);
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
/* BGP message type string. */
|
|
|
ba3a7a2 |
const char *bgp_type_str[] =
|
|
|
ba3a7a2 |
@@ -84,7 +86,8 @@ const char *bgp_type_str[] =
|
|
|
ba3a7a2 |
"NOTIFICATION",
|
|
|
ba3a7a2 |
"KEEPALIVE",
|
|
|
ba3a7a2 |
"ROUTE-REFRESH",
|
|
|
ba3a7a2 |
- "CAPABILITY"
|
|
|
ba3a7a2 |
+ "CAPABILITY",
|
|
|
ba3a7a2 |
+ NULL,
|
|
|
ba3a7a2 |
};
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
/* message for BGP-4 Notify */
|
|
|
ba3a7a2 |
@@ -98,15 +101,15 @@ static const struct message bgp_notify_msg[] =
|
|
|
ba3a7a2 |
{ BGP_NOTIFY_CEASE, "Cease"},
|
|
|
ba3a7a2 |
{ BGP_NOTIFY_CAPABILITY_ERR, "CAPABILITY Message Error"},
|
|
|
ba3a7a2 |
};
|
|
|
ba3a7a2 |
-static const int bgp_notify_msg_max = BGP_NOTIFY_MAX;
|
|
|
ba3a7a2 |
+BGP_DEBUG_MSG_MAX (bgp_notify_msg);
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
static const struct message bgp_notify_head_msg[] =
|
|
|
ba3a7a2 |
{
|
|
|
ba3a7a2 |
{ BGP_NOTIFY_HEADER_NOT_SYNC, "/Connection Not Synchronized"},
|
|
|
ba3a7a2 |
{ BGP_NOTIFY_HEADER_BAD_MESLEN, "/Bad Message Length"},
|
|
|
ba3a7a2 |
- { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"}
|
|
|
ba3a7a2 |
+ { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"},
|
|
|
ba3a7a2 |
};
|
|
|
ba3a7a2 |
-static const int bgp_notify_head_msg_max = BGP_NOTIFY_HEADER_MAX;
|
|
|
ba3a7a2 |
+BGP_DEBUG_MSG_MAX (bgp_notify_head_msg);
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
static const struct message bgp_notify_open_msg[] =
|
|
|
ba3a7a2 |
{
|
|
|
ba3a7a2 |
@@ -119,7 +122,7 @@ static const struct message bgp_notify_open_msg[] =
|
|
|
ba3a7a2 |
{ BGP_NOTIFY_OPEN_UNACEP_HOLDTIME, "/Unacceptable Hold Time"},
|
|
|
ba3a7a2 |
{ BGP_NOTIFY_OPEN_UNSUP_CAPBL, "/Unsupported Capability"},
|
|
|
ba3a7a2 |
};
|
|
|
ba3a7a2 |
-static const int bgp_notify_open_msg_max = BGP_NOTIFY_OPEN_MAX;
|
|
|
ba3a7a2 |
+BGP_DEBUG_MSG_MAX (bgp_notify_open_msg);
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
static const struct message bgp_notify_update_msg[] =
|
|
|
ba3a7a2 |
{
|
|
|
ba3a7a2 |
@@ -136,7 +139,7 @@ static const struct message bgp_notify_update_msg[] =
|
|
|
ba3a7a2 |
{ BGP_NOTIFY_UPDATE_INVAL_NETWORK, "/Invalid Network Field"},
|
|
|
ba3a7a2 |
{ BGP_NOTIFY_UPDATE_MAL_AS_PATH, "/Malformed AS_PATH"},
|
|
|
ba3a7a2 |
};
|
|
|
ba3a7a2 |
-static const int bgp_notify_update_msg_max = BGP_NOTIFY_UPDATE_MAX;
|
|
|
ba3a7a2 |
+BGP_DEBUG_MSG_MAX (bgp_notify_update_msg);
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
static const struct message bgp_notify_cease_msg[] =
|
|
|
ba3a7a2 |
{
|
|
|
ba3a7a2 |
@@ -150,7 +153,7 @@ static const struct message bgp_notify_cease_msg[] =
|
|
|
ba3a7a2 |
{ BGP_NOTIFY_CEASE_COLLISION_RESOLUTION, "/Connection collision resolution"},
|
|
|
ba3a7a2 |
{ BGP_NOTIFY_CEASE_OUT_OF_RESOURCE, "/Out of Resource"},
|
|
|
ba3a7a2 |
};
|
|
|
ba3a7a2 |
-static const int bgp_notify_cease_msg_max = BGP_NOTIFY_CEASE_MAX;
|
|
|
ba3a7a2 |
+BGP_DEBUG_MSG_MAX (bgp_notify_cease_msg);
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
static const struct message bgp_notify_capability_msg[] =
|
|
|
ba3a7a2 |
{
|
|
|
ba3a7a2 |
@@ -159,7 +162,7 @@ static const struct message bgp_notify_capability_msg[] =
|
|
|
ba3a7a2 |
{ BGP_NOTIFY_CAPABILITY_INVALID_LENGTH, "/Invalid Capability Length"},
|
|
|
ba3a7a2 |
{ BGP_NOTIFY_CAPABILITY_MALFORMED_CODE, "/Malformed Capability Value"},
|
|
|
ba3a7a2 |
};
|
|
|
ba3a7a2 |
-static const int bgp_notify_capability_msg_max = BGP_NOTIFY_CAPABILITY_MAX;
|
|
|
ba3a7a2 |
+BGP_DEBUG_MSG_MAX (bgp_notify_capability_msg);
|
|
|
ba3a7a2 |
|
|
|
ba3a7a2 |
/* Origin strings. */
|
|
|
ba3a7a2 |
const char *bgp_origin_str[] = {"i","e","?"};
|
|
|
ba3a7a2 |
--
|
|
|
ba3a7a2 |
2.14.3
|
|
|
ba3a7a2 |
|