Miss a check on length in Babel #10487

whichbug · 2022-02-03T02:44:29Z

The code below misses a check on the relationship between packetlen and bodylen before Line 298, which may lead to buffer overflows when accessing the memory at Line 300 and Line 309.

frr/babeld/message.c

Lines 289 to 309 in 3d1ff4b

    
           babel_packet_examin(const unsigned char *packet, int packetlen) 
        
           { 
        
               unsigned i = 0, bodylen; 
        
               const unsigned char *message; 
        
               unsigned char type, len; 
        
               if(packetlen < 4 || packet[0] != 42 || packet[1] != 2) 
        
                   return 1; 
        
               DO_NTOHS(bodylen, packet + 2); 
        
               while (i < bodylen){ 
        
                   message = packet + 4 + i; 
        
                   type = message[0]; 
        
                   if(type == MESSAGE_PAD1) { 
        
                       i++; 
        
                       continue; 
        
                   } 
        
                   if(i + 1 > bodylen) { 
        
                       debugf(BABEL_DEBUG_COMMON,"Received truncated message."); 
        
                       return 1; 
        
                   } 
        
                   len = message[1];

To fix, we may put the code below before the while loop:

if (packetlen < bodylen + 4) {
    debugf(BABEL_DEBUG_COMMON,"Received truncated message."); 
    return 1; 
}

The output of the address sanitizer:

==271648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000114 at pc 0x00000059301a bp 0x7fff3f7301f0 sp 0x7fff3f7301e8
READ of size 1 at 0x603000000114 thread T0
    #0 0x593019 in babel_packet_examin /home/parallels/myfrr/babeld/message.c:300:16
    #1 0x593019 in parse_packet /home/parallels/myfrr/babeld/message.c:354:9

The text was updated successfully, but these errors were encountered:

qlyoung · 2022-02-03T18:08:26Z

Awesome! Since you already have a fix, would you be willing to submit the patch as a PR? That would be super helpful.

The body length of a packet should satisfy the condition: packetlen >= bodylen + 4. Otherwise, heap overflows may happen. Signed-off-by: whichbug <whichbug@github.com>

whichbug · 2022-02-03T21:32:44Z

Awesome! Since you already have a fix, would you be willing to submit the patch as a PR? That would be super helpful.

Thanks for your reply. I have created the pull request.

The body length of a packet should satisfy the condition: packetlen >= bodylen + 4. Otherwise, heap overflows may happen. Signed-off-by: whichbug <whichbug@github.com>

qlyoung · 2022-03-28T18:23:05Z

This has been assigned CVE-2022-26127 with a severity score of 7.8.

No assessment of exploitability has been made.

Please see my comment here

The body length of a packet should satisfy the condition: packetlen >= bodylen + 4. Otherwise, heap overflows may happen. Signed-off-by: whichbug <whichbug@github.com>

whichbug pushed a commit to whichbug/frr that referenced this issue Feb 3, 2022

babeld: fix FRRouting#10487 by adding a check on packet length

ff0f99d

whichbug mentioned this issue Feb 3, 2022

babeld: add a check for truncated packets #10494

Merged

idryzhov closed this as completed in #10494 Feb 6, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Miss a check on length in Babel #10487

Miss a check on length in Babel #10487

whichbug commented Feb 3, 2022 •

edited

Loading

qlyoung commented Feb 3, 2022

whichbug commented Feb 3, 2022

qlyoung commented Mar 28, 2022 •

edited

Loading

Miss a check on length in Babel #10487

Miss a check on length in Babel #10487

Comments

whichbug commented Feb 3, 2022 • edited Loading

qlyoung commented Feb 3, 2022

whichbug commented Feb 3, 2022

qlyoung commented Mar 28, 2022 • edited Loading

whichbug commented Feb 3, 2022 •

edited

Loading

qlyoung commented Mar 28, 2022 •

edited

Loading