Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bgpd: Check if we have really enough data before doing memcpy for FQDN capability #16213

Merged
merged 1 commit into from
Jun 24, 2024
Merged

bgpd: Check if we have really enough data before doing memcpy for FQDN capability #16213

merged 1 commit into from
Jun 24, 2024

Conversation

ton31337
Copy link
Member

No description provided.

@ton31337
bgpd: Check if we have really enough data before doing memcpy for FQD…
b685ab5 
…N capability

We advance data pointer (data++), but we do memcpy() with the length that is 1-byte
over, which is technically heap overflow.

```
==411461==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50600011da1a at pc 0xc4f45a9786f0 bp 0xffffed1e2740 sp 0xffffed1e1f30
READ of size 4 at 0x50600011da1a thread T0
    0 0xc4f45a9786ec in __asan_memcpy (/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x3586ec) (BuildId: e794c5f796eee20c8973d7efb9bf5735e54d44cd)
    1 0xc4f45abf15f8 in bgp_dynamic_capability_fqdn /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:3457:4
    2 0xc4f45abdd408 in bgp_capability_msg_parse /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:3911:4
    3 0xc4f45abdbeb4 in bgp_capability_receive /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:3980:9
    4 0xc4f45abde2cc in bgp_process_packet /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4109:11
    5 0xc4f45a9b6110 in LLVMFuzzerTestOneInput /home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
```

Found by fuzzing.

Reported-by: Iggy Frankovic <[email protected]>
Signed-off-by: Donatas Abraitis <[email protected]>
@ton31337
Copy link
Member Author

@Mergifyio backport dev/10.1 stable/10.0

@mergify Mergify
Copy link

mergify bot commented Jun 13, 2024
edited
Loading

backport dev/10.1 stable/10.0

✅ Backports have been created

@ton31337 ton31337 added this to the 10.1 milestone Jun 13, 2024
@ton31337
Copy link
Member Author

ci:rerun CI wasn't triggered

@ton31337
Copy link
Member Author

ci:rerun

@donaldsharp donaldsharp self-requested a review June 18, 2024 15:20
riw777
riw777 approved these changes Jun 18, 2024
View reviewed changes
Copy link
Member

@riw777 riw777 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good

@riw777 riw777 merged commit ed5628f into FRRouting:master Jun 24, 2024
11 checks passed
This was referenced Jun 24, 2024
Merged
Merged
ton31337 added a commit that referenced this pull request Jun 25, 2024
@ton31337
Merge pull request #16281 from FRRouting/mergify/bp/dev/10.1/pr-16213
48b0d33 
bgpd: Check if we have really enough data before doing memcpy for FQDN capability (backport #16213)
riw777 added a commit that referenced this pull request Jun 25, 2024
@riw777
Merge pull request #16282 from FRRouting/mergify/bp/stable/10.0/pr-16213
bd137a2 
bgpd: Check if we have really enough data before doing memcpy for FQDN capability (backport #16213)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@riw777 riw777 riw777 approved these changes

@donaldsharp donaldsharp Awaiting requested review from donaldsharp

Assignees
No one assigned
Labels
backport master size/XS
Projects
None yet
Milestone
10.1
Development

Successfully merging this pull request may close these issues.
2 participants
@ton31337 @riw777