Skip to content

Commit

Permalink
pkg/packet/bgp: fix SoftVersion capability parser to check the input …
Browse files Browse the repository at this point in the history 
…length

func (c *CapSoftwareVersion) DecodeFromBytes(data []byte) error {
c.DefaultParameterCapability.DecodeFromBytes(data)
data = data[2:]
if len(data) < 2 {
return NewMessageError(BGP_ERROR_OPEN_MESSAGE_ERROR, BGP_ERROR_SUB_UNSUPPORTED_CAPABILITY, nil, "Not all CapabilitySoftwareVersion bytes allowed")
}
softwareVersionLen := uint8(data[0])
if len(data[1:]) < int(softwareVersionLen) || softwareVersionLen > 64 {
return NewMessageError(BGP_ERROR_OPEN_MESSAGE_ERROR, BGP_ERROR_SUB_UNSUPPORTED_CAPABILITY, nil, "invalid length of software version capablity")
}
c.SoftwareVersionLen = softwareVersionLen
c.SoftwareVersion = string(data[1:c.SoftwareVersionLen]) // ivg: note the crash is here
return nil
}

Notice that `softwareVersionLen` is not checked for `0`, so
`data[1:c.SoftwareVersionLen]` becomes `data[1:0]`, which leads to a
runtime panic.
  • Loading branch information
@ivg @fujita
ivg authored and fujita committed Feb 7, 2025
1 parent ca7383f commit 08a001e
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion pkg/packet/bgp/bgp.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1094,7 +1094,7 @@ func (c *CapSoftwareVersion) DecodeFromBytes(data []byte) error {
return NewMessageError(BGP_ERROR_OPEN_MESSAGE_ERROR, BGP_ERROR_SUB_UNSUPPORTED_CAPABILITY, nil, "Not all CapabilitySoftwareVersion bytes allowed")
}
softwareVersionLen := uint8(data[0])
if len(data[1:]) < int(softwareVersionLen) || softwareVersionLen > 64 {
if len(data[1:]) < int(softwareVersionLen) || softwareVersionLen > 64 || softwareVersionLen == 0 {
return NewMessageError(BGP_ERROR_OPEN_MESSAGE_ERROR, BGP_ERROR_SUB_UNSUPPORTED_CAPABILITY, nil, "invalid length of software version capablity")
}
c.SoftwareVersionLen = softwareVersionLen
Expand Down

0 comments on commit 08a001e

Please sign in to comment.