diff options
| author | paul <paul> | 2007-09-07 14:24:55 +0000 |
|---|---|---|
| committer | paul <paul> | 2007-09-07 14:24:55 +0000 |
| commit | 311d971c4866f25c628fe298faf8b87e604ff5e5 (patch) | |
| tree | 6d6a5b9317756daad387c86b3c6f0759912cbdb4 | |
| parent | e8eb297f83408c02fbe4f193f0da4b16a83bb26a (diff) | |
| download | quagga-311d971c4866f25c628fe298faf8b87e604ff5e5.tar.bz2 quagga-311d971c4866f25c628fe298faf8b87e604ff5e5.tar.xz | |
[bgpd] low-impact DoS: crash on malformed community with debug set
2007-09-07 Paul Jakma <paul.jakma@sun.com>
* (general) bgpd can be made crash by remote peers if debug
bgp updates is set, due to NULL pointer dereference.
Reported by "Mu Security Research Team",
<security@musecurity.com>.
* bgp_attr.c: (bgp_attr_community) If community length is 0,
don't set the community-present attribute bit, just return
early.
* bgp_debug.c: (community_str,community_com2str) Check com
pointer before dereferencing.
| -rw-r--r-- | bgpd/ChangeLog | 12 | ||||
| -rw-r--r-- | bgpd/bgp_attr.c | 5 | ||||
| -rw-r--r-- | bgpd/bgp_community.c | 6 |
3 files changed, 22 insertions, 1 deletions
diff --git a/bgpd/ChangeLog b/bgpd/ChangeLog index 1cf5515b..7542df78 100644 --- a/bgpd/ChangeLog +++ b/bgpd/ChangeLog @@ -1,3 +1,15 @@ +2007-09-07 Paul Jakma <paul.jakma@sun.com> + + * (general) bgpd can be made crash by remote peers if debug + bgp updates is set, due to NULL pointer dereference. + Reported by "Mu Security Research Team", + <security@musecurity.com>. + * bgp_attr.c: (bgp_attr_community) If community length is 0, + don't set the community-present attribute bit, just return + early. + * bgp_debug.c: (community_str,community_com2str) Check com + pointer before dereferencing. + 2007-08-27 Paul Jakma <paul.jakma@sun.com> * bgp_route.c: (bgp_announce_check) Fix bug #398, slight diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index ee17b6d7..9d13ca6e 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -1007,7 +1007,10 @@ bgp_attr_community (struct peer *peer, bgp_size_t length, struct attr *attr, u_char flag) { if (length == 0) - attr->community = NULL; + { + attr->community = NULL; + return 0; + } else { attr->community = diff --git a/bgpd/bgp_community.c b/bgpd/bgp_community.c index 07b8cf81..d5e9821b 100644 --- a/bgpd/bgp_community.c +++ b/bgpd/bgp_community.c @@ -206,6 +206,9 @@ community_com2str (struct community *com) u_int16_t as; u_int16_t val; + if (!com) + return NULL; + /* When communities attribute is empty. */ if (com->size == 0) { @@ -377,6 +380,9 @@ community_dup (struct community *com) char * community_str (struct community *com) { + if (!com) + return NULL; + if (! com->str) com->str = community_com2str (com); return com->str; |