| タイトル | osrg GoBGP <= 4.3.0 Integer Underflow |
|---|
| 説明 | Credit / Discovered by:
Xiangjun Sun, Jiahao Lei, Siru Ren, Zhouyan Deng, Jiajia Liu
(School of Cybersecurity, Northwestern Polytechnical University)
A vulnerability was found in GoBGP 4.3.0 in parseRibEntry() in pkg/packet/mrt/mrt.go. It has been classified as an integer underflow vulnerability.
The function parses MRT TABLE_DUMPv2 RIB entries and uses a uint16 variable (attrLen) to track the remaining length of Path Attributes. During parsing, the code decreases attrLen using:
attrLen -= uint16(p.Len())
without verifying whether the parsed attribute length exceeds the remaining buffer.
If a crafted PathAttribute reports a length larger than attrLen, the subtraction causes an unsigned integer underflow. Due to wraparound behavior, attrLen becomes a large positive value, allowing the loop to continue processing far beyond the intended buffer boundary.
Additionally, the bounds check:
if len(data) < p.Len()
is performed after DecodeFromBytes(), meaning the attribute may already have accessed out-of-bounds memory before validation occurs.
A local or remote attacker able to supply a malicious MRT file may exploit this issue to trigger uncontrolled parsing behavior. Successful exploitation may result in excessive memory consumption, infinite loop conditions, or application crash.
Affected file: pkg/packet/mrt/mrt.go
Affected function: parseRibEntry()
Impact: Denial of service (integer underflow, out-of-bounds read, infinite loop or crash) |
|---|
| ソース | ⚠️ https://github.com/osrg/gobgp/commit/76d911046344a3923cbe573364197aa081944592 |
|---|
| ユーザー | Sunxj (UID 96442) |
|---|
| 送信 | 2026年04月18日 10:44 (2 月 ago) |
|---|
| モデレーション | 2026年05月03日 18:16 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 360911 [osrg GoBGP 迄 4.3.0 pkg/packet/mrt/mrt.go parseRibEntry メモリ破損] |
|---|
| ポイント | 20 |
|---|