Submit #807604: osrg GoBGP <= 4.3.0 Integer Underflow
| Titel | osrg GoBGP <= 4.3.0 Integer Underflow |
|---|---|
| Beschreibung | Credit / Discovered by: Xiangjun Sun, Jiahao Lei, Siru Ren, Zhouyan Deng, Jiajia Liu (School of Cybersecurity, Northwestern Polytechnical University) A vulnerability was found in GoBGP 4.3.0 in parseRibEntry() in pkg/packet/mrt/mrt.go. It has been classified as an integer underflow vulnerability. The function parses MRT TABLE_DUMPv2 RIB entries and uses a uint16 variable (attrLen) to track the remaining length of Path Attributes. During parsing, the code decreases attrLen using: attrLen -= uint16(p.Len()) without verifying whether the parsed attribute length exceeds the remaining buffer. If a crafted PathAttribute reports a length larger than attrLen, the subtraction causes an unsigned integer underflow. Due to wraparound behavior, attrLen becomes a large positive value, allowing the loop to continue processing far beyond the intended buffer boundary. Additionally, the bounds check: if len(data) < p.Len() is performed after DecodeFromBytes(), meaning the attribute may already have accessed out-of-bounds memory before validation occurs. A local or remote attacker able to supply a malicious MRT file may exploit this issue to trigger uncontrolled parsing behavior. Successful exploitation may result in excessive memory consumption, infinite loop conditions, or application crash. Affected file: pkg/packet/mrt/mrt.go Affected function: parseRibEntry() Impact: Denial of service (integer underflow, out-of-bounds read, infinite loop or crash) |
| Quelle | ⚠️ https:/ |
| Benutzer | Sunxj (UID 96442) |
| Einreichung | 18.04.2026 10:44 (vor 2 Monaten) |
| Moderieren | 03.05.2026 18:16 (15 days later) |
| Status | Akzeptiert |
| VulDB Eintrag | 360911 [osrg GoBGP bis 4.3.0 pkg/packet/mrt/mrt.go parseRibEntry Pufferüberlauf] |
| Punkte | 20 |