| 제목 | osrg GoBGP <= 4.3.0 Integer Underflow |
|---|
| 설명 | Credit / Discovered by:
Xiangjun Sun, Jiahao Lei, Siru Ren, Zhouyan Deng, Jiajia Liu
(School of Cybersecurity, Northwestern Polytechnical University)
A vulnerability was found in GoBGP 4.3.0 in parseRibEntry() in pkg/packet/mrt/mrt.go. It has been classified as an integer underflow vulnerability.
The function parses MRT TABLE_DUMPv2 RIB entries and uses a uint16 variable (attrLen) to track the remaining length of Path Attributes. During parsing, the code decreases attrLen using:
attrLen -= uint16(p.Len())
without verifying whether the parsed attribute length exceeds the remaining buffer.
If a crafted PathAttribute reports a length larger than attrLen, the subtraction causes an unsigned integer underflow. Due to wraparound behavior, attrLen becomes a large positive value, allowing the loop to continue processing far beyond the intended buffer boundary.
Additionally, the bounds check:
if len(data) < p.Len()
is performed after DecodeFromBytes(), meaning the attribute may already have accessed out-of-bounds memory before validation occurs.
A local or remote attacker able to supply a malicious MRT file may exploit this issue to trigger uncontrolled parsing behavior. Successful exploitation may result in excessive memory consumption, infinite loop conditions, or application crash.
Affected file: pkg/packet/mrt/mrt.go
Affected function: parseRibEntry()
Impact: Denial of service (integer underflow, out-of-bounds read, infinite loop or crash) |
|---|
| 원천 | ⚠️ https://github.com/osrg/gobgp/commit/76d911046344a3923cbe573364197aa081944592 |
|---|
| 사용자 | Sunxj (UID 96442) |
|---|
| 제출 | 2026. 04. 18. AM 10:44 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 05. 03. PM 06:16 (15 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 360911 [osrg GoBGP 까지 4.3.0 pkg/packet/mrt/mrt.go parseRibEntry 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|