diff options
author | Sergey Elantsev <elantsev.s@yandex.ru> | 2021-01-23 22:56:17 +0300 |
---|---|---|
committer | Sergey Elantsev <elantsev.s@yandex.ru> | 2021-01-23 22:56:17 +0300 |
commit | 43c62634fdd8ff8e1deb2c20251bbc37718752aa (patch) | |
tree | 5a8ab02c2dd6582d4330826d36c0ccabd1218306 /pkg/packet/bgp | |
parent | c70d99cc913502714aedc847b88486b9d00503f2 (diff) |
fixed panics on parsing malicious bgp packets
Diffstat (limited to 'pkg/packet/bgp')
-rw-r--r-- | pkg/packet/bgp/bgp.go | 26 | ||||
-rw-r--r-- | pkg/packet/bgp/testdata/bad-len/147a924d9a4a4d9960f8bb49e3ec782ee93f82a7 | bin | 0 -> 33 bytes | |||
-rw-r--r-- | pkg/packet/bgp/testdata/bad-len/27f19d6959e9cbecfcd09b28c3aec493a4b6f18d | bin | 0 -> 64 bytes | |||
-rw-r--r-- | pkg/packet/bgp/testdata/bad-len/3dce7e046d709b142092e15b78e9ad20ee5144fa | bin | 0 -> 37 bytes | |||
-rw-r--r-- | pkg/packet/bgp/testdata/bad-len/66e6aab4f34c9c5783c18f90b2d987e5dad241e0 | bin | 0 -> 31 bytes | |||
-rw-r--r-- | pkg/packet/bgp/testdata/bad-len/a8ecedce17e2e28a466cf9fb3bfaf2d8554fef42 | bin | 0 -> 31 bytes | |||
-rw-r--r-- | pkg/packet/bgp/testdata/bad-len/b7ed0646a97127bf424da480a53a84a0cb9c9565 | bin | 0 -> 35 bytes |
7 files changed, 26 insertions, 0 deletions
diff --git a/pkg/packet/bgp/bgp.go b/pkg/packet/bgp/bgp.go index 263d684a..c55c4681 100644 --- a/pkg/packet/bgp/bgp.go +++ b/pkg/packet/bgp/bgp.go @@ -1770,6 +1770,10 @@ func (l *LabeledVPNIPAddrPrefix) DecodeFromBytes(data []byte, options ...*Marsha } data = data[l.Labels.Len():] l.RD = GetRouteDistinguisher(data) + rdLen := l.RD.Len() + if len(data) < rdLen { + return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "bad labeled VPN-IPv4 NLRI length") + } data = data[l.RD.Len():] restbits := int(l.Length) - 8*(l.Labels.Len()+l.RD.Len()) return l.decodePrefix(data, uint8(restbits), l.addrlen) @@ -2130,6 +2134,9 @@ type EthernetSegmentIdentifier struct { } func (esi *EthernetSegmentIdentifier) DecodeFromBytes(data []byte) error { + if len(data) < 10 { + return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, fmt.Sprintf("invalid %s length", esi.Type.String())) + } esi.Type = ESIType(data[0]) esi.Value = data[1:10] switch esi.Type { @@ -2376,6 +2383,10 @@ func (er *EVPNEthernetAutoDiscoveryRoute) Len() int { func (er *EVPNEthernetAutoDiscoveryRoute) DecodeFromBytes(data []byte) error { er.RD = GetRouteDistinguisher(data) + rdLen := er.RD.Len() + if len(data) < rdLen + 14 { // 14 is 10 for + return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "bad Ethernet Auto-discovery Route length") + } data = data[er.RD.Len():] err := er.ESI.DecodeFromBytes(data) if err != nil { @@ -2476,6 +2487,10 @@ func (er *EVPNMacIPAdvertisementRoute) Len() int { func (er *EVPNMacIPAdvertisementRoute) DecodeFromBytes(data []byte) error { er.RD = GetRouteDistinguisher(data) + rdLen := er.RD.Len() + if len(data) < rdLen { + return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "bad length of MAC/IP Advertisement Route") + } data = data[er.RD.Len():] err := er.ESI.DecodeFromBytes(data) if err != nil { @@ -2628,6 +2643,10 @@ func (er *EVPNMulticastEthernetTagRoute) Len() int { func (er *EVPNMulticastEthernetTagRoute) DecodeFromBytes(data []byte) error { er.RD = GetRouteDistinguisher(data) + rdLen := er.RD.Len() + if len(data) < rdLen + 4 { + return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "invalid length of multicast ethernet tag route") + } data = data[er.RD.Len():] er.ETag = binary.BigEndian.Uint32(data[0:4]) er.IPAddressLength = data[4] @@ -2722,6 +2741,10 @@ func (er *EVPNEthernetSegmentRoute) Len() int { func (er *EVPNEthernetSegmentRoute) DecodeFromBytes(data []byte) error { er.RD = GetRouteDistinguisher(data) + rdLen := er.RD.Len() + if len(data) < rdLen { + return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "invalid Ethernet Segment Route length") + } data = data[er.RD.Len():] er.ESI.DecodeFromBytes(data) data = data[10:] @@ -4387,6 +4410,9 @@ func (n *FlowSpecNLRI) decodeFromBytes(rf RouteFamily, data []byte, options ...* } else { return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "not all flowspec component bytes available") } + if len(data) < length { + return NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "not all flowspec component bytes available") + } n.rf = rf diff --git a/pkg/packet/bgp/testdata/bad-len/147a924d9a4a4d9960f8bb49e3ec782ee93f82a7 b/pkg/packet/bgp/testdata/bad-len/147a924d9a4a4d9960f8bb49e3ec782ee93f82a7 Binary files differnew file mode 100644 index 00000000..dc9d0910 --- /dev/null +++ b/pkg/packet/bgp/testdata/bad-len/147a924d9a4a4d9960f8bb49e3ec782ee93f82a7 diff --git a/pkg/packet/bgp/testdata/bad-len/27f19d6959e9cbecfcd09b28c3aec493a4b6f18d b/pkg/packet/bgp/testdata/bad-len/27f19d6959e9cbecfcd09b28c3aec493a4b6f18d Binary files differnew file mode 100644 index 00000000..e2f9ffa0 --- /dev/null +++ b/pkg/packet/bgp/testdata/bad-len/27f19d6959e9cbecfcd09b28c3aec493a4b6f18d diff --git a/pkg/packet/bgp/testdata/bad-len/3dce7e046d709b142092e15b78e9ad20ee5144fa b/pkg/packet/bgp/testdata/bad-len/3dce7e046d709b142092e15b78e9ad20ee5144fa Binary files differnew file mode 100644 index 00000000..cab1d8af --- /dev/null +++ b/pkg/packet/bgp/testdata/bad-len/3dce7e046d709b142092e15b78e9ad20ee5144fa diff --git a/pkg/packet/bgp/testdata/bad-len/66e6aab4f34c9c5783c18f90b2d987e5dad241e0 b/pkg/packet/bgp/testdata/bad-len/66e6aab4f34c9c5783c18f90b2d987e5dad241e0 Binary files differnew file mode 100644 index 00000000..65f89c93 --- /dev/null +++ b/pkg/packet/bgp/testdata/bad-len/66e6aab4f34c9c5783c18f90b2d987e5dad241e0 diff --git a/pkg/packet/bgp/testdata/bad-len/a8ecedce17e2e28a466cf9fb3bfaf2d8554fef42 b/pkg/packet/bgp/testdata/bad-len/a8ecedce17e2e28a466cf9fb3bfaf2d8554fef42 Binary files differnew file mode 100644 index 00000000..c8285f1a --- /dev/null +++ b/pkg/packet/bgp/testdata/bad-len/a8ecedce17e2e28a466cf9fb3bfaf2d8554fef42 diff --git a/pkg/packet/bgp/testdata/bad-len/b7ed0646a97127bf424da480a53a84a0cb9c9565 b/pkg/packet/bgp/testdata/bad-len/b7ed0646a97127bf424da480a53a84a0cb9c9565 Binary files differnew file mode 100644 index 00000000..d9513c2d --- /dev/null +++ b/pkg/packet/bgp/testdata/bad-len/b7ed0646a97127bf424da480a53a84a0cb9c9565 |