| タイトル | osrg GoBGP <= 4.3.0 Out-of-Bounds Read |
|---|
| 説明 | Credit / Discovered by:
Xiangjun Sun, Jiahao Lei, Siru Ren, Zhouyan Deng, Jiajia Liu
(School of Cybersecurity, Northwestern Polytechnical University)
A vulnerability was found in GoBGP 4.3.0 in BMPPeerUpNotification.ParseBody() and BMPStatisticsReport.ParseBody() in pkg/packet/bmp/bmp.go. It has been classified as an out-of-bounds read vulnerability.
The affected functions parse BMP message bodies and directly access fixed offsets in the input buffer without performing sufficient length validation.
In BMPPeerUpNotification.ParseBody(), the code reads fields using offsets such as:
data[:16], data[16:18], data[18:20]
without ensuring that the input buffer contains at least 20 bytes.
In BMPStatisticsReport.ParseBody(), the code reads:
data[:4]
without verifying that the buffer length is at least 4 bytes.
If a crafted BMP message with truncated body data is processed, these unchecked slice operations may access memory beyond the buffer boundary, triggering a runtime panic.
Although the top-level BMP parser uses a recover mechanism to handle panics, the out-of-bounds access occurs before recovery, meaning memory is accessed out-of-bounds prior to error handling.
A remote attacker able to connect to a BMP listener and send malformed BMP messages may exploit this issue to crash the GoBGP daemon, resulting in a reliable denial of service condition.
Affected file: pkg/packet/bmp/bmp.go
Affected functions: BMPPeerUpNotification.ParseBody(), BMPStatisticsReport.ParseBody()
Impact: Remote denial of service (out-of-bounds read, crash) |
|---|
| ソース | ⚠️ https://github.com/osrg/gobgp/commit/bc77597d42335c78464bc8e15a471d887bbdf260 |
|---|
| ユーザー | Sunxj (UID 96442) |
|---|
| 送信 | 2026年04月18日 10:46 (2 月 ago) |
|---|
| モデレーション | 2026年05月03日 18:16 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 360912 [osrg GoBGP 迄 4.3.0 BMP Parser pkg/packet/bmp/bmp.go 情報漏えい] |
|---|
| ポイント | 20 |
|---|