जमा करें #780124: GoBGP 4.3.0 Improper Handling of Length Parameter Inconsistencyजानकारी

शीर्षकGoBGP 4.3.0 Improper Handling of Length Parameter Inconsistency
विवरणA vulnerability was found in GoBGP 4.3.0 in the FQDN capability decoder used during BGP OPEN message processing. It has been classified as improper handling of length parameter inconsistency. The issue is located in pkg/packet/bgp/bgp.go in the function CapFQDN.DecodeFromBytes(). The parser correctly uses HostNameLen to decode the HostName field, but it does not properly use DomainNameLen when decoding the DomainName field. Instead, the implementation reads all remaining bytes in the capability buffer as the domain name. An attacker able to supply a crafted BGP OPEN message containing an FQDN capability can cause additional trailing capability data or padding bytes to be interpreted as part of the domain name. This may lead to incorrect domain name parsing, capability decode inconsistencies, and misleading log or debug output. The vulnerability appears to be primarily a protocol parsing correctness issue rather than a direct memory safety issue, because the read remains within the provided buffer bounds. The affected file is pkg/packet/bgp/bgp.go and the affected function is CapFQDN.DecodeFromBytes().
स्रोत⚠️ https://github.com/osrg/gobgp/commit/2b09db390a3d455808363c53e409afe6b1b86d2d
उपयोगकर्ता
 rensiru (UID 96440)
सबमिशन14/03/2026 08:44 AM (4 महीनों पहले)
संयम30/03/2026 09:46 AM (16 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि354154 [osrg GoBGP तक 4.3.0 BGP OPEN Message pkg/packet/bgp/bgp.go DecodeFromBytes domainNameLen अधिकार वृद्धि]
अंक20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!