equal
deleted
inserted
replaced
1 Author: Paul Jakma <[email protected]> |
|
2 Date: Fri Sep 7 14:24:55 2007 +0000 |
|
3 |
|
4 [bgpd] low-impact DoS: crash on malformed community with debug set |
|
5 |
|
6 2007-09-07 Paul Jakma <[email protected]> |
|
7 |
|
8 * (general) bgpd can be made crash by remote peers if debug |
|
9 bgp updates is set, due to NULL pointer dereference. |
|
10 Reported by "Mu Security Research Team", |
|
11 <[email protected]>. |
|
12 * bgp_attr.c: (bgp_attr_community) If community length is 0, |
|
13 don't set the community-present attribute bit, just return |
|
14 early. |
|
15 * bgp_debug.c: (community_str,community_com2str) Check com |
|
16 pointer before dereferencing. |
|
17 |
|
18 --- bgpd/bgp_attr.c |
|
19 +++ bgpd/bgp_attr.c |
|
20 @@ -962,7 +962,10 @@ |
|
21 struct attr *attr, u_char flag) |
|
22 { |
|
23 if (length == 0) |
|
24 - attr->community = NULL; |
|
25 + { |
|
26 + attr->community = NULL; |
|
27 + return 0; |
|
28 + } |
|
29 else |
|
30 { |
|
31 attr->community = |
|
32 --- bgpd/bgp_community.c |
|
33 +++ bgpd/bgp_community.c |
|
34 @@ -206,6 +206,9 @@ community_com2str (struct community *com) |
|
35 u_int16_t as; |
|
36 u_int16_t val; |
|
37 |
|
38 + if (!com) |
|
39 + return NULL; |
|
40 + |
|
41 /* When communities attribute is empty. */ |
|
42 if (com->size == 0) |
|
43 { |
|
44 @@ -377,6 +380,9 @@ community_dup (struct community *com) |
|
45 char * |
|
46 community_str (struct community *com) |
|
47 { |
|
48 + if (!com) |
|
49 + return NULL; |
|
50 + |
|
51 if (! com->str) |
|
52 com->str = community_com2str (com); |
|
53 return com->str; |
|