| 标题 | osrg GoBGP <= 4.3.0 Out-of-Bounds Read |
|---|
| 描述 | Credit / Discovered by:
Xiangjun Sun, Jiahao Lei, Siru Ren, Zhouyan Deng, Jiajia Liu
(School of Cybersecurity, Northwestern Polytechnical University)
A vulnerability was found in GoBGP 4.3.0 in BMPPeerUpNotification.ParseBody() and BMPStatisticsReport.ParseBody() in pkg/packet/bmp/bmp.go. It has been classified as an out-of-bounds read vulnerability.
The affected functions parse BMP message bodies and directly access fixed offsets in the input buffer without performing sufficient length validation.
In BMPPeerUpNotification.ParseBody(), the code reads fields using offsets such as:
data[:16], data[16:18], data[18:20]
without ensuring that the input buffer contains at least 20 bytes.
In BMPStatisticsReport.ParseBody(), the code reads:
data[:4]
without verifying that the buffer length is at least 4 bytes.
If a crafted BMP message with truncated body data is processed, these unchecked slice operations may access memory beyond the buffer boundary, triggering a runtime panic.
Although the top-level BMP parser uses a recover mechanism to handle panics, the out-of-bounds access occurs before recovery, meaning memory is accessed out-of-bounds prior to error handling.
A remote attacker able to connect to a BMP listener and send malformed BMP messages may exploit this issue to crash the GoBGP daemon, resulting in a reliable denial of service condition.
Affected file: pkg/packet/bmp/bmp.go
Affected functions: BMPPeerUpNotification.ParseBody(), BMPStatisticsReport.ParseBody()
Impact: Remote denial of service (out-of-bounds read, crash) |
|---|
| 来源 | ⚠️ https://github.com/osrg/gobgp/commit/bc77597d42335c78464bc8e15a471d887bbdf260 |
|---|
| 用户 | Sunxj (UID 96442) |
|---|
| 提交 | 2026-04-18 10時46分 (2 月前) |
|---|
| 管理 | 2026-05-03 18時16分 (15 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 360912 [osrg GoBGP 直到 4.3.0 BMP Parser pkg/packet/bmp/bmp.go 信息公开] |
|---|
| 积分 | 20 |
|---|