CVE-2017-13043/BGP: fix decoding of MVPN route types 6 and 7

RFC 6514 Section 4.6 defines the structure for Shared Tree Join (6) and
Source Tree Join (7) multicast VPN route types. decode_multicast_vpn()
didn't implement the Source AS field of that structure properly, adjust
the offsets to put it right.

This fixes a buffer over-read discovered by Bhargava Shastry,
SecT/TU Berlin.

Add a test using the capture file supplied by the reporter(s).

diff --git a/print-bgp.c b/print-bgp.c
index 3ee80c3d91aa35af6448b3dc82b69882249ae4f7..877534e1d545dab847c2b109665d08e88d67c1c9 100644 (file)
--- a/print-bgp.c
+++ b/print-bgp.c
@@ -960,13 +960,13 @@ decode_multicast_vpn(netdissect_options *ndo,
 
         case BGP_MULTICAST_VPN_ROUTE_TYPE_SHARED_TREE_JOIN: /* fall through */
         case BGP_MULTICAST_VPN_ROUTE_TYPE_SOURCE_TREE_JOIN:
-            ND_TCHECK2(pptr[0], BGP_VPN_RD_LEN);
+            ND_TCHECK2(pptr[0], BGP_VPN_RD_LEN + 4);
             offset = strlen(buf);
            snprintf(buf + offset, buflen - offset, ", RD: %s, Source-AS %s",
                bgp_vpn_rd_print(ndo, pptr),
                as_printf(ndo, astostr, sizeof(astostr),
                EXTRACT_32BITS(pptr + BGP_VPN_RD_LEN)));
-            pptr += BGP_VPN_RD_LEN;
+            pptr += BGP_VPN_RD_LEN + 4;
 
             bgp_vpn_sg_print(ndo, pptr, buf, buflen);
             break;

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 2de9e934f711c01ce7ef0327b9a5b41925d16fa0..80c5c1478e738226c291a8355e48abf3a978163c 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -561,6 +561,7 @@ hncp_dhcpv6data-oobr        hncp_dhcpv6data-oobr.pcap       hncp_dhcpv6data-oobr.out -v -c1
 hncp_dhcpv4data-oobr   hncp_dhcpv4data-oobr.pcap       hncp_dhcpv4data-oobr.out -v -c1
 vqp-oobr               vqp-oobr.pcap                   vqp-oobr.out            -v -c1
 bgp_pmsi_tunnel-oobr   bgp_pmsi_tunnel-oobr.pcap       bgp_pmsi_tunnel-oobr.out -v -c1
+bgp_mvpn_6_and_7       bgp_mvpn_6_and_7.pcap           bgp_mvpn_6_and_7.out    -v -c1
 
 # bad packets from Katie Holly
 mlppp-oobr             mlppp-oobr.pcap                 mlppp-oobr.out

diff --git a/tests/bgp_mvpn_6_and_7.out b/tests/bgp_mvpn_6_and_7.out
new file mode 100644 (file)
index 0000000..3eb4a2d
--- /dev/null
+++ b/tests/bgp_mvpn_6_and_7.out
@@ -0,0 +1,13 @@
+IP (tos 0xc, ttl 254, id 21263, offset 0, flags [rsvd], proto TCP (6), length 517, bad cksum 8e15 (->99c9)!)
+    241.0.93.20.179 > 255.247.0.1.200: Flags [none], seq 2146691977:2146692450, win 56026, options [unknown-161,eol], length 473: BGP
+       Update Message (2), length: 45
+         Withdrawn routes: 3 bytes
+         Attribute Set (128), length: 7, Flags [OTPE+f]: 
+           Origin AS: 148
+             Multi-Protocol Reach NLRI (14), length: 71, Flags [T+6]: 
+           AFI: IPv4 (1), SAFI: Multicast VPN (5), nh-length: 0, no SNPA
+             Route-Type: Intra-AS I-PMSI (1), length: 0, RD: 62209:33686018 (= 2.2.2.2), Originator bogus address length 4294967232
+             Route-Type: Unknown (0), length: 0
+             Route-Type: Unknown (243), length: 1
+             Route-Type: Inter-AS I-PMSI (2), length: 2, RD: unknown RD format, Source-AS 368115805
+             Route-Type: Inter-AS I-PMSI (2), length: 2, RD: unknown RD format, Source-AS 335544320[|BGP]

diff --git a/tests/bgp_mvpn_6_and_7.pcap b/tests/bgp_mvpn_6_and_7.pcap
new file mode 100644 (file)
index 0000000..a478b95
Binary files /dev/null and b/tests/bgp_mvpn_6_and_7.pcap differ