Stack overflow in RFC 8203 BGP admin. shutdown comm. handling since 7ff34ca2

Daniel McCarney cpu at letsencrypt.org
Mon Sep 9 16:42:06 CEST 2019


> Done. I'll update this thread when MITRE replies.

Assigned CVE-2019-16159

On Mon, Sep 9, 2019 at 10:07 AM Daniel McCarney <cpu at letsencrypt.org> wrote:
>
> > If you could, i would be glad.
>
> Done. I'll update this thread when MITRE replies.
>
> Thanks again Ondrej,
>
> On Sun, Sep 8, 2019 at 9:56 PM Ondrej Zajicek <santiago at crfreenet.org> wrote:
> >
> > On Sun, Sep 08, 2019 at 05:54:35PM -0400, Daniel McCarney wrote:
> > > Hi Ondrej,
> > >
> > > Thanks for the quick response.
> > >
> > > > Unfortunately it has been included in released versions 1.6.7 and 2.0.5.
> > >
> > > Bummer, apologies for missing that. Do you want to request a CVE or should I?
> >
> > If you could, i would be glad.
> >
> >
> > > While I believe 7ff34ca2 introduced the ability to overflow a stack buffer it
> > > seems to me the original RFC 8203 support hasn't been correctly verifying
> > > shutdown communication `msg_len` since support was added in BIRD 2 versions >=
> > > 2.0.0 and BIRD 1 versions >= 1.6.4. Details to follow.
> >
> > I think that the incorrect check in the original code also allows this
> > stack overflow, as a properly packed 255B message would trigger the first
> > condition but not the second, so would be accepted.
> >
> > Therefore, the stack overflow could happen on BIRD 1 versions >= 1.6.4
> > and BIRD 2 versions >= 2.0.0.
> >
> >
> > The bugfix patches are:
> > 1657c41c96b3c07d9265b07dd4912033ead4124b (1.6.x)
> > 8388f5a7e14108a1458fea35bfbb5a453e2c563c (2.0.x)
> >
> > --
> > Elen sila lumenn' omentielvo
> >
> > Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
> > OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
> > "To err is human -- to blame it on a computer is even more so."


More information about the Bird-users mailing list