| 标题 | GoBGP 4.3.0 Infinite Loop |
|---|
| 描述 | Discovery / credits: Siru Ren, School of Cybersecurity, Northwestern Polytechnical University; Xiangjun Sun, School of Cybersecurity, Northwestern Polytechnical University; Jiahao Lei, School of Cybersecurity, Northwestern Polytechnical University; Zhouyan Deng, School of Cybersecurity, Northwestern Polytechnical University; Jiajia Liu, School of Cybersecurity, Northwestern Polytechnical University.
A vulnerability was found in GoBGP 4.3.0 in SRv6L3ServiceAttribute.DecodeFromBytes() in pkg/packet/bgp/prefix_sid.go. It has been classified as an infinite loop vulnerability.
The function parses SRv6 L3 Service Attribute sub-TLVs. In the default branch for unknown sub-TLV types, the code mistakenly uses the variable data, which refers to the original input buffer, instead of stlvs, which is the current iteration buffer. As a result, the bounds check is performed on the wrong buffer and the wrong pointer is advanced.
Because stlvs is never updated in that branch, the loop condition remains true and the same sub-TLV is parsed repeatedly. A remote attacker able to send a crafted BGP UPDATE with a Prefix SID path attribute containing an SRv6 L3 Service Attribute and an unknown sub-TLV type may trigger an infinite loop.
Successful exploitation may cause the GoBGP daemon to consume 100% CPU and become unresponsive, resulting in remote denial of service.
Affected file: pkg/packet/bgp/prefix_sid.go
Affected function: SRv6L3ServiceAttribute.DecodeFromBytes()
Impact: Remote denial of service (infinite loop, CPU exhaustion). |
|---|
| 来源 | ⚠️ https://github.com/osrg/gobgp/commit/f9f7b55ec258e514be0264871fa645a2c3edad11 |
|---|
| 用户 | rensiru (UID 96440) |
|---|
| 提交 | 2026-04-18 10時00分 (2 月前) |
|---|
| 管理 | 2026-05-03 18時16分 (15 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 360909 [osrg GoBGP 直到 4.3.0 SRv6 L3 Service prefix_sid.go SRv6L3ServiceAttribute.DecodeFromBytes data 拒绝服务] |
|---|
| 积分 | 20 |
|---|