| 标题 | osrg GoBGP <= 4.3.0 Integer Underflow |
|---|
| 描述 | Credit / Discovered by:
Xiangjun Sun, Jiahao Lei, Siru Ren, Zhouyan Deng, Jiajia Liu
(School of Cybersecurity, Northwestern Polytechnical University)
A vulnerability was found in GoBGP 4.3.0 in parseRibEntry() in pkg/packet/mrt/mrt.go. It has been classified as an integer underflow vulnerability.
The function parses MRT TABLE_DUMPv2 RIB entries and uses a uint16 variable (attrLen) to track the remaining length of Path Attributes. During parsing, the code decreases attrLen using:
attrLen -= uint16(p.Len())
without verifying whether the parsed attribute length exceeds the remaining buffer.
If a crafted PathAttribute reports a length larger than attrLen, the subtraction causes an unsigned integer underflow. Due to wraparound behavior, attrLen becomes a large positive value, allowing the loop to continue processing far beyond the intended buffer boundary.
Additionally, the bounds check:
if len(data) < p.Len()
is performed after DecodeFromBytes(), meaning the attribute may already have accessed out-of-bounds memory before validation occurs.
A local or remote attacker able to supply a malicious MRT file may exploit this issue to trigger uncontrolled parsing behavior. Successful exploitation may result in excessive memory consumption, infinite loop conditions, or application crash.
Affected file: pkg/packet/mrt/mrt.go
Affected function: parseRibEntry()
Impact: Denial of service (integer underflow, out-of-bounds read, infinite loop or crash) |
|---|
| 来源 | ⚠️ https://github.com/osrg/gobgp/commit/76d911046344a3923cbe573364197aa081944592 |
|---|
| 用户 | Sunxj (UID 96442) |
|---|
| 提交 | 2026-04-18 10時44分 (2 月前) |
|---|
| 管理 | 2026-05-03 18時16分 (15 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 360911 [osrg GoBGP 直到 4.3.0 pkg/packet/mrt/mrt.go parseRibEntry 内存损坏] |
|---|
| 积分 | 20 |
|---|