| Título | osrg GoBGP <= 4.3.0 Integer Underflow |
|---|
| Descrição | Credit / Discovered by:
Xiangjun Sun, Jiahao Lei, Siru Ren, Zhouyan Deng, Jiajia Liu
(School of Cybersecurity, Northwestern Polytechnical University)
A vulnerability was found in GoBGP 4.3.0 in parseRibEntry() in pkg/packet/mrt/mrt.go. It has been classified as an integer underflow vulnerability.
The function parses MRT TABLE_DUMPv2 RIB entries and uses a uint16 variable (attrLen) to track the remaining length of Path Attributes. During parsing, the code decreases attrLen using:
attrLen -= uint16(p.Len())
without verifying whether the parsed attribute length exceeds the remaining buffer.
If a crafted PathAttribute reports a length larger than attrLen, the subtraction causes an unsigned integer underflow. Due to wraparound behavior, attrLen becomes a large positive value, allowing the loop to continue processing far beyond the intended buffer boundary.
Additionally, the bounds check:
if len(data) < p.Len()
is performed after DecodeFromBytes(), meaning the attribute may already have accessed out-of-bounds memory before validation occurs.
A local or remote attacker able to supply a malicious MRT file may exploit this issue to trigger uncontrolled parsing behavior. Successful exploitation may result in excessive memory consumption, infinite loop conditions, or application crash.
Affected file: pkg/packet/mrt/mrt.go
Affected function: parseRibEntry()
Impact: Denial of service (integer underflow, out-of-bounds read, infinite loop or crash) |
|---|
| Fonte | ⚠️ https://github.com/osrg/gobgp/commit/76d911046344a3923cbe573364197aa081944592 |
|---|
| Utilizador | Sunxj (UID 96442) |
|---|
| Submissão | 18/04/2026 10h44 (há 2 meses) |
|---|
| Moderação | 03/05/2026 18h16 (15 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 360911 [osrg GoBGP até 4.3.0 pkg/packet/mrt/mrt.go parseRibEntry Excesso de tampão] |
|---|
| Pontos | 20 |
|---|