@@ -, +, @@
bgpd: CERT-FI #513254 (ext. comm. buffer overflow)
This vulnerability was reported by CROSS project. They have also
suggested a fix to the problem, which was found acceptable.
The problem occurs when bgpd receives an UPDATE message containing
255 unknown AS_PATH attributes in Path Attribute Extended Communities.
This causes a buffer overlow in bgpd.
* bgp_ecommunity.c
* ecommunity_ecom2str(): perform size check earlier
--- a/bgpd/bgp_ecommunity.c
+++ a/bgpd/bgp_ecommunity.c
@@ -619,6 +619,13 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format)
for (i = 0; i < ecom->size; i++)
{
+ /* Make it sure size is enough. */
+ while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size)
+ {
+ str_size *= 2;
+ str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size);
+ }
+
/* Space between each value. */
if (! first)
str_buf[str_pnt++] = ' ';
@@ -662,13 +669,6 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format)
break;
}
- /* Make it sure size is enough. */
- while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size)
- {
- str_size *= 2;
- str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size);
- }
-
/* Put string into buffer. */
if (encode == ECOMMUNITY_ENCODE_AS4)
{
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
8b7eb0953e52bd5d7a877b4559114c52
>
files
>
14
