[bgpd] low-impact DoS: crash on malformed community with debug set

2007-09-07 Paul Jakma <paul.jakma@sun.com>

	* (general) bgpd can be made crash by remote peers if debug
	  bgp updates is set, due to NULL pointer dereference.
	  Reported by "Mu Security Research Team",
	  <security@musecurity.com>.
	* bgp_attr.c: (bgp_attr_community) If community length is 0,
	  don't set the community-present attribute bit, just return
	  early.
	* bgp_debug.c: (community_str,community_com2str) Check com
	  pointer before dereferencing.

diff --git a/bgpd/ChangeLog b/bgpd/ChangeLog
index 1cf5515bb6c4daed993ae9371e143a55ecef4c14..7542df78eb79d98874afaafbb6994817eb1a9c54 100644 (file)
--- a/bgpd/ChangeLog
+++ b/bgpd/ChangeLog
@@ -1,3 +1,15 @@
+2007-09-07 Paul Jakma <paul.jakma@sun.com>
+
+       * (general) bgpd can be made crash by remote peers if debug
+         bgp updates is set, due to NULL pointer dereference.
+         Reported by "Mu Security Research Team",
+         <security@musecurity.com>.
+       * bgp_attr.c: (bgp_attr_community) If community length is 0,
+         don't set the community-present attribute bit, just return
+         early.
+       * bgp_debug.c: (community_str,community_com2str) Check com
+         pointer before dereferencing.
+
 2007-08-27 Paul Jakma <paul.jakma@sun.com>
 
        * bgp_route.c: (bgp_announce_check) Fix bug #398, slight

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index ee17b6d7bddd4ffcd2715014286548217f04e8c0..9d13ca6ec90f8cf3a38b6684a507e8d998854353 100644 (file)
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -1007,7 +1007,10 @@ bgp_attr_community (struct peer *peer, bgp_size_t length,
                    struct attr *attr, u_char flag)
 {
   if (length == 0)
-    attr->community = NULL;
+    {
+      attr->community = NULL;
+      return 0;
+    }
   else
     {
       attr->community = 

diff --git a/bgpd/bgp_community.c b/bgpd/bgp_community.c
index 07b8cf81f8545ceb32a8064da5fbd5b06e6224d4..d5e9821be9ff84752d75bde0716f056d178df2d0 100644 (file)
--- a/bgpd/bgp_community.c
+++ b/bgpd/bgp_community.c
@@ -206,6 +206,9 @@ community_com2str  (struct community *com)
   u_int16_t as;
   u_int16_t val;
 
+  if (!com)
+    return NULL;
+  
   /* When communities attribute is empty.  */
   if (com->size == 0)
     {
@@ -377,6 +380,9 @@ community_dup (struct community *com)
 char *
 community_str (struct community *com)
 {
+  if (!com)
+    return NULL;
+  
   if (! com->str)
     com->str = community_com2str (com);
   return com->str;