Wireshark-commits: [Wireshark-commits] master-2.4 5eb6f11: BGP: Validate length of Path Attribute r
From: Wireshark code review <code-review-do-not-reply@xxxxxxxxxxxxx>
Date: Sat, 23 Jun 2018 19:56:53 +0000
URL: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5eb6f114a0c208861e3e391e196531cf42506c0d
Submitter: Guy Harris (guy@xxxxxxxxxxxx)
Changed: branch: master-2.4
Repository: wireshark

Commits:

5eb6f11 by Darius Davis (darius@xxxxxxxxxx):

    BGP: Validate length of Path Attribute records.
    
    Bug 13741 showed a case where the BGP dissector's failure to validate the
    length of the Path Attribute record allowed a pathological BGP UPDATE packet to
    generate more than one million items in the protocol tree by repeatedly
    dissecting certain segments of the packet.
    
    It's easy enough to detect when the Path Attribute length cannot be valid, so
    let's do so.  When the condition arises, let's raise an Expert Info error in
    the same style and format as used elsewhere in the same routine, and abandon
    dissection of the Path Attributes list.
    
    With this check in place, an incorrect length computation is revealed at a
    callsite.  This would only have prevented a small (less than 5 bytes) Path
    Attribute from being dissected if it was at the very end of the Path Attributes
    list, but the bounds checking added in this change makes this problem much more
    apparent, so we fix the length computation while we're here.
    
    Testing Done: Built wireshark on Linux amd64.  Using bgp.pcap from the Sample
       Captures page on the wiki, verified that the dissection of the UPDATE
       packets were unaltered by this fix.  Using the capture attached to bug 13741
       (clusterfuzz-testcase-minimized-6689222578667520.pcap), verified that the
       packet no longer triggers the "too many items" exception, instead we see
       an Expert Info for each oversized Path Attribute length, and eventually an
       exception for "length of contained item exceeds length of containing item".
       30,000 iterations of fuzz test with bgp.pcap as input, and many iterations
       of randpkt-test too.  Crafted a packet with a 3-byte ATOMIC_AGGREGATE Path
       Attribute at the end of the Path Attributes list; Before this change, an
       exception is raised during dissection, but after this change it is dissected
       correctly.
    
    Bug: 13741
    Change-Id: I80f506b114a61e5b060d93b59bed6b94fb188b3e
    Reviewed-on: https://code.wireshark.org/review/27466
    Reviewed-by: Peter Wu <peter@xxxxxxxxxxxxx>
    Petri-Dish: Peter Wu <peter@xxxxxxxxxxxxx>
    Tested-by: Petri Dish Buildbot
    Reviewed-by: Anders Broman <a.broman58@xxxxxxxxx>
    (cherry picked from commit 6e88943d0eabc8c8bc11334ba4213ec64129575c)
    Reviewed-on: https://code.wireshark.org/review/28402
    Reviewed-by: Guy Harris <guy@xxxxxxxxxxxx>
    

Actions performed:

    from  233740d   S1AP: fix a copy/paste error in a field name
    adds  5eb6f11   BGP: Validate length of Path Attribute records.


Summary of changes:
 epan/dissectors/packet-bgp.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)