1 From 9e5251151894aefdf8e9392a2371615222119ad8 Mon Sep 17 00:00:00 2001
2 From: Paul Jakma <paul@jakma.org>
3 Date: Sat, 6 Jan 2018 22:31:52 +0000
4 Subject: [PATCH] bgpd/security: debug print of received NOTIFY data can
7 Security issue: Quagga-2018-1550
8 See: https://www.quagga.net/security/Quagga-2018-1550.txt
10 * bgpd/bgp_debug.c: (struct message) Nearly every one of the NOTIFY
11 code/subcode message arrays has their corresponding size variables off
12 by one, as most have 1 as first index.
14 This means (bgp_notify_print) can cause mes_lookup to overread the (struct
15 message) by 1 pointer value if given an unknown index.
17 Fix the bgp_notify_..._msg_max variables to use the compiler to calculate
20 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
22 bgpd/bgp_debug.c | 21 ++++++++++++---------
23 1 file changed, 12 insertions(+), 9 deletions(-)
25 diff --git a/bgpd/bgp_debug.c b/bgpd/bgp_debug.c
26 index ba797228..43faee7c 100644
27 --- a/bgpd/bgp_debug.c
28 +++ b/bgpd/bgp_debug.c
29 @@ -29,6 +29,7 @@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
31 #include "sockunion.h"
35 #include "bgpd/bgpd.h"
36 #include "bgpd/bgp_aspath.h"
37 @@ -73,7 +74,8 @@ const struct message bgp_status_msg[] =
38 { Clearing, "Clearing" },
39 { Deleted, "Deleted" },
41 -const int bgp_status_msg_max = BGP_STATUS_MAX;
42 +#define BGP_DEBUG_MSG_MAX(msg) const int msg ## _max = array_size (msg)
43 +BGP_DEBUG_MSG_MAX (bgp_status_msg);
45 /* BGP message type string. */
46 const char *bgp_type_str[] =
47 @@ -84,7 +86,8 @@ const char *bgp_type_str[] =
56 /* message for BGP-4 Notify */
57 @@ -98,15 +101,15 @@ static const struct message bgp_notify_msg[] =
58 { BGP_NOTIFY_CEASE, "Cease"},
59 { BGP_NOTIFY_CAPABILITY_ERR, "CAPABILITY Message Error"},
61 -static const int bgp_notify_msg_max = BGP_NOTIFY_MAX;
62 +BGP_DEBUG_MSG_MAX (bgp_notify_msg);
64 static const struct message bgp_notify_head_msg[] =
66 { BGP_NOTIFY_HEADER_NOT_SYNC, "/Connection Not Synchronized"},
67 { BGP_NOTIFY_HEADER_BAD_MESLEN, "/Bad Message Length"},
68 - { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"}
69 + { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"},
71 -static const int bgp_notify_head_msg_max = BGP_NOTIFY_HEADER_MAX;
72 +BGP_DEBUG_MSG_MAX (bgp_notify_head_msg);
74 static const struct message bgp_notify_open_msg[] =
76 @@ -119,7 +122,7 @@ static const struct message bgp_notify_open_msg[] =
77 { BGP_NOTIFY_OPEN_UNACEP_HOLDTIME, "/Unacceptable Hold Time"},
78 { BGP_NOTIFY_OPEN_UNSUP_CAPBL, "/Unsupported Capability"},
80 -static const int bgp_notify_open_msg_max = BGP_NOTIFY_OPEN_MAX;
81 +BGP_DEBUG_MSG_MAX (bgp_notify_open_msg);
83 static const struct message bgp_notify_update_msg[] =
85 @@ -136,7 +139,7 @@ static const struct message bgp_notify_update_msg[] =
86 { BGP_NOTIFY_UPDATE_INVAL_NETWORK, "/Invalid Network Field"},
87 { BGP_NOTIFY_UPDATE_MAL_AS_PATH, "/Malformed AS_PATH"},
89 -static const int bgp_notify_update_msg_max = BGP_NOTIFY_UPDATE_MAX;
90 +BGP_DEBUG_MSG_MAX (bgp_notify_update_msg);
92 static const struct message bgp_notify_cease_msg[] =
94 @@ -150,7 +153,7 @@ static const struct message bgp_notify_cease_msg[] =
95 { BGP_NOTIFY_CEASE_COLLISION_RESOLUTION, "/Connection collision resolution"},
96 { BGP_NOTIFY_CEASE_OUT_OF_RESOURCE, "/Out of Resource"},
98 -static const int bgp_notify_cease_msg_max = BGP_NOTIFY_CEASE_MAX;
99 +BGP_DEBUG_MSG_MAX (bgp_notify_cease_msg);
101 static const struct message bgp_notify_capability_msg[] =
103 @@ -159,7 +162,7 @@ static const struct message bgp_notify_capability_msg[] =
104 { BGP_NOTIFY_CAPABILITY_INVALID_LENGTH, "/Invalid Capability Length"},
105 { BGP_NOTIFY_CAPABILITY_MALFORMED_CODE, "/Malformed Capability Value"},
107 -static const int bgp_notify_capability_msg_max = BGP_NOTIFY_CAPABILITY_MAX;
108 +BGP_DEBUG_MSG_MAX (bgp_notify_capability_msg);
110 /* Origin strings. */
111 const char *bgp_origin_str[] = {"i","e","?"};