summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorSergey Elantsev <elantsev.s@yandex.ru>2021-01-23 22:56:17 +0300
committerSergey Elantsev <elantsev.s@yandex.ru>2021-01-23 22:56:17 +0300
commit43c62634fdd8ff8e1deb2c20251bbc37718752aa (patch)
tree5a8ab02c2dd6582d4330826d36c0ccabd1218306
parentc70d99cc913502714aedc847b88486b9d00503f2 (diff)
fixed panics on parsing malicious bgp packets
-rw-r--r--pkg/packet/bgp/bgp.go26
-rw-r--r--pkg/packet/bgp/testdata/bad-len/147a924d9a4a4d9960f8bb49e3ec782ee93f82a7bin0 -> 33 bytes
-rw-r--r--pkg/packet/bgp/testdata/bad-len/27f19d6959e9cbecfcd09b28c3aec493a4b6f18dbin0 -> 64 bytes
-rw-r--r--pkg/packet/bgp/testdata/bad-len/3dce7e046d709b142092e15b78e9ad20ee5144fabin0 -> 37 bytes
-rw-r--r--pkg/packet/bgp/testdata/bad-len/66e6aab4f34c9c5783c18f90b2d987e5dad241e0bin0 -> 31 bytes
-rw-r--r--pkg/packet/bgp/testdata/bad-len/a8ecedce17e2e28a466cf9fb3bfaf2d8554fef42bin0 -> 31 bytes
-rw-r--r--pkg/packet/bgp/testdata/bad-len/b7ed0646a97127bf424da480a53a84a0cb9c9565bin0 -> 35 bytes
7 files changed, 26 insertions, 0 deletions
diff --git a/pkg/packet/bgp/bgp.go b/pkg/packet/bgp/bgp.go
index 263d684a..c55c4681 100644
--- a/pkg/packet/bgp/bgp.go
+++ b/pkg/packet/bgp/bgp.go
@@ -1770,6 +1770,10 @@ func (l *LabeledVPNIPAddrPrefix) DecodeFromBytes(data []byte, options ...*Marsha
}
data = data[l.Labels.Len():]
l.RD = GetRouteDistinguisher(data)
+ rdLen := l.RD.Len()
+ if len(data) < rdLen {
+ return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "bad labeled VPN-IPv4 NLRI length")
+ }
data = data[l.RD.Len():]
restbits := int(l.Length) - 8*(l.Labels.Len()+l.RD.Len())
return l.decodePrefix(data, uint8(restbits), l.addrlen)
@@ -2130,6 +2134,9 @@ type EthernetSegmentIdentifier struct {
}
func (esi *EthernetSegmentIdentifier) DecodeFromBytes(data []byte) error {
+ if len(data) < 10 {
+ return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, fmt.Sprintf("invalid %s length", esi.Type.String()))
+ }
esi.Type = ESIType(data[0])
esi.Value = data[1:10]
switch esi.Type {
@@ -2376,6 +2383,10 @@ func (er *EVPNEthernetAutoDiscoveryRoute) Len() int {
func (er *EVPNEthernetAutoDiscoveryRoute) DecodeFromBytes(data []byte) error {
er.RD = GetRouteDistinguisher(data)
+ rdLen := er.RD.Len()
+ if len(data) < rdLen + 14 { // 14 is 10 for
+ return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "bad Ethernet Auto-discovery Route length")
+ }
data = data[er.RD.Len():]
err := er.ESI.DecodeFromBytes(data)
if err != nil {
@@ -2476,6 +2487,10 @@ func (er *EVPNMacIPAdvertisementRoute) Len() int {
func (er *EVPNMacIPAdvertisementRoute) DecodeFromBytes(data []byte) error {
er.RD = GetRouteDistinguisher(data)
+ rdLen := er.RD.Len()
+ if len(data) < rdLen {
+ return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "bad length of MAC/IP Advertisement Route")
+ }
data = data[er.RD.Len():]
err := er.ESI.DecodeFromBytes(data)
if err != nil {
@@ -2628,6 +2643,10 @@ func (er *EVPNMulticastEthernetTagRoute) Len() int {
func (er *EVPNMulticastEthernetTagRoute) DecodeFromBytes(data []byte) error {
er.RD = GetRouteDistinguisher(data)
+ rdLen := er.RD.Len()
+ if len(data) < rdLen + 4 {
+ return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "invalid length of multicast ethernet tag route")
+ }
data = data[er.RD.Len():]
er.ETag = binary.BigEndian.Uint32(data[0:4])
er.IPAddressLength = data[4]
@@ -2722,6 +2741,10 @@ func (er *EVPNEthernetSegmentRoute) Len() int {
func (er *EVPNEthernetSegmentRoute) DecodeFromBytes(data []byte) error {
er.RD = GetRouteDistinguisher(data)
+ rdLen := er.RD.Len()
+ if len(data) < rdLen {
+ return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "invalid Ethernet Segment Route length")
+ }
data = data[er.RD.Len():]
er.ESI.DecodeFromBytes(data)
data = data[10:]
@@ -4387,6 +4410,9 @@ func (n *FlowSpecNLRI) decodeFromBytes(rf RouteFamily, data []byte, options ...*
} else {
return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "not all flowspec component bytes available")
}
+ if len(data) < length {
+ return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "not all flowspec component bytes available")
+ }
n.rf = rf
diff --git a/pkg/packet/bgp/testdata/bad-len/147a924d9a4a4d9960f8bb49e3ec782ee93f82a7 b/pkg/packet/bgp/testdata/bad-len/147a924d9a4a4d9960f8bb49e3ec782ee93f82a7
new file mode 100644
index 00000000..dc9d0910
--- /dev/null
+++ b/pkg/packet/bgp/testdata/bad-len/147a924d9a4a4d9960f8bb49e3ec782ee93f82a7
Binary files differ
diff --git a/pkg/packet/bgp/testdata/bad-len/27f19d6959e9cbecfcd09b28c3aec493a4b6f18d b/pkg/packet/bgp/testdata/bad-len/27f19d6959e9cbecfcd09b28c3aec493a4b6f18d
new file mode 100644
index 00000000..e2f9ffa0
--- /dev/null
+++ b/pkg/packet/bgp/testdata/bad-len/27f19d6959e9cbecfcd09b28c3aec493a4b6f18d
Binary files differ
diff --git a/pkg/packet/bgp/testdata/bad-len/3dce7e046d709b142092e15b78e9ad20ee5144fa b/pkg/packet/bgp/testdata/bad-len/3dce7e046d709b142092e15b78e9ad20ee5144fa
new file mode 100644
index 00000000..cab1d8af
--- /dev/null
+++ b/pkg/packet/bgp/testdata/bad-len/3dce7e046d709b142092e15b78e9ad20ee5144fa
Binary files differ
diff --git a/pkg/packet/bgp/testdata/bad-len/66e6aab4f34c9c5783c18f90b2d987e5dad241e0 b/pkg/packet/bgp/testdata/bad-len/66e6aab4f34c9c5783c18f90b2d987e5dad241e0
new file mode 100644
index 00000000..65f89c93
--- /dev/null
+++ b/pkg/packet/bgp/testdata/bad-len/66e6aab4f34c9c5783c18f90b2d987e5dad241e0
Binary files differ
diff --git a/pkg/packet/bgp/testdata/bad-len/a8ecedce17e2e28a466cf9fb3bfaf2d8554fef42 b/pkg/packet/bgp/testdata/bad-len/a8ecedce17e2e28a466cf9fb3bfaf2d8554fef42
new file mode 100644
index 00000000..c8285f1a
--- /dev/null
+++ b/pkg/packet/bgp/testdata/bad-len/a8ecedce17e2e28a466cf9fb3bfaf2d8554fef42
Binary files differ
diff --git a/pkg/packet/bgp/testdata/bad-len/b7ed0646a97127bf424da480a53a84a0cb9c9565 b/pkg/packet/bgp/testdata/bad-len/b7ed0646a97127bf424da480a53a84a0cb9c9565
new file mode 100644
index 00000000..d9513c2d
--- /dev/null
+++ b/pkg/packet/bgp/testdata/bad-len/b7ed0646a97127bf424da480a53a84a0cb9c9565
Binary files differ