[bgpd] low-impact DoS: crash on malformed community with debug set
2007-09-07 Paul Jakma <paul.jakma@sun.com>
* (general) bgpd can be made crash by remote peers if debug
bgp updates is set, due to NULL pointer dereference.
Reported by "Mu Security Research Team",
<security@musecurity.com>.
* bgp_attr.c: (bgp_attr_community) If community length is 0,
don't set the community-present attribute bit, just return
early.
* bgp_debug.c: (community_str,community_com2str) Check com
pointer before dereferencing.
diff --git a/bgpd/ChangeLog b/bgpd/ChangeLog
index 1cf5515..7542df7 100644
--- a/bgpd/ChangeLog
+++ b/bgpd/ChangeLog
@@ -1,3 +1,15 @@
+2007-09-07 Paul Jakma <paul.jakma@sun.com>
+
+ * (general) bgpd can be made crash by remote peers if debug
+ bgp updates is set, due to NULL pointer dereference.
+ Reported by "Mu Security Research Team",
+ <security@musecurity.com>.
+ * bgp_attr.c: (bgp_attr_community) If community length is 0,
+ don't set the community-present attribute bit, just return
+ early.
+ * bgp_debug.c: (community_str,community_com2str) Check com
+ pointer before dereferencing.
+
2007-08-27 Paul Jakma <paul.jakma@sun.com>
* bgp_route.c: (bgp_announce_check) Fix bug #398, slight
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index ee17b6d..9d13ca6 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -1007,7 +1007,10 @@
struct attr *attr, u_char flag)
{
if (length == 0)
- attr->community = NULL;
+ {
+ attr->community = NULL;
+ return 0;
+ }
else
{
attr->community =
diff --git a/bgpd/bgp_community.c b/bgpd/bgp_community.c
index 07b8cf8..d5e9821 100644
--- a/bgpd/bgp_community.c
+++ b/bgpd/bgp_community.c
@@ -206,6 +206,9 @@
u_int16_t as;
u_int16_t val;
+ if (!com)
+ return NULL;
+
/* When communities attribute is empty. */
if (com->size == 0)
{
@@ -377,6 +380,9 @@
char *
community_str (struct community *com)
{
+ if (!com)
+ return NULL;
+
if (! com->str)
com->str = community_com2str (com);
return com->str;