bgpd: CVE-2011-3327 (ext. comm. buffer overflow)

This vulnerability (CERT-FI #513254) was reported by CROSS project.
They have also suggested a fix to the problem, which was found
acceptable.

The problem occurs when bgpd receives an UPDATE message containing
255 unknown AS_PATH attributes in Path Attribute Extended Communities.
This causes a buffer overlow in bgpd.

* bgp_ecommunity.c
  * ecommunity_ecom2str(): perform size check earlier

diff --git a/bgpd/bgp_ecommunity.c b/bgpd/bgp_ecommunity.c
index 8d5fa741a882ddaab1355be3f3c1c85ef38f87dc..e7eb0a07f7a112adbf63a6cbabd161476df99946 100644 (file)
--- a/bgpd/bgp_ecommunity.c
+++ b/bgpd/bgp_ecommunity.c
@@ -619,6 +619,13 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format)
 
   for (i = 0; i < ecom->size; i++)
     {
+      /* Make it sure size is enough.  */
+      while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size)
+       {
+         str_size *= 2;
+         str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size);
+       }
+
       /* Space between each value.  */
       if (! first)
        str_buf[str_pnt++] = ' ';
@@ -662,13 +669,6 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format)
          break;
        }
 
-      /* Make it sure size is enough.  */
-      while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size)
-       {
-         str_size *= 2;
-         str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size);
-       }
-
       /* Put string into buffer.  */
       if (encode == ECOMMUNITY_ENCODE_AS4)
        {