Juniper Openstack

Nexthop address length in MpReachNlri is not verified

  1. Series r2.20
  2. Bug #1517210
Bug #1517210 reported by Nischal Sheth
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R2.20
Fix Committed
High
Nischal Sheth
Juniper Openstack r2.22
R2.21.x
Fix Committed
High
Nischal Sheth
Juniper Openstack r2.21.2
Trunk
Fix Committed
High
Nischal Sheth
Juniper Openstack r3.0-fcs

Bug Description

The value of nexthop address length field in MpReachNlri is not verified
in the parser. It simply copies the specified number of bytes into the
BgpMpNlri::nexthop field, which is a vector. This by itself is not unsafe.

Problem is that BgpPeer::GetMpNlriNexthop assumes that BgpMpNlri::nexthop is of the correct size and simply copies the vector into local variables
that may be only 4 (Ip4Address::bytes_type) or 16 (Ip6Address::bytes_type) bytes long.

See original description
Nischal Sheth (nsheth)
description: updated
description: updated
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20

Review in progress for https://review.opencontrail.org/15209
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.21.x

Review in progress for https://review.opencontrail.org/15210
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/15211
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/15211
Committed: http://github.org/Juniper/contrail-controller/commit/5e380bea64fb503651e050a4d8fc0c5c3061083f
Submitter: Zuul
Branch: master

commit 5e380bea64fb503651e050a4d8fc0c5c3061083f
Author: Nischal Sheth <email address hidden>
Date: Mon Nov 16 16:12:25 2015 -0800

Add verification for MP_REACH_NLRI nexthop address length field

Change-Id: I86571dba9948e9a91e59b01ed690d6e6a514aa49
Closes-Bug: 1517210

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/15210
Committed: http://github.org/Juniper/contrail-controller/commit/12da02f8fd301d4f501cc77539c2ac672c244da5
Submitter: Zuul
Branch: R2.21.x

commit 12da02f8fd301d4f501cc77539c2ac672c244da5
Author: Nischal Sheth <email address hidden>
Date: Mon Nov 16 16:12:25 2015 -0800

Add verification for MP_REACH_NLRI nexthop address length field

Change-Id: I86571dba9948e9a91e59b01ed690d6e6a514aa49
Closes-Bug: 1517210

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/15246
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/15246
Committed: http://github.org/Juniper/contrail-controller/commit/51d0c1c7d3522020dafdd7bc390492b3499955bb
Submitter: Zuul
Branch: master

commit 51d0c1c7d3522020dafdd7bc390492b3499955bb
Author: Nischal Sheth <email address hidden>
Date: Mon Nov 16 16:12:25 2015 -0800

Set error code/subcode for MP_REACH_NLRI nexthop address length

Highlights:

- Set the error code and subcode per section 7 of rfc 4760
- Tweak initial input data for UpdateError so that it's valid
- Add test for bad mp reach nexthop address length

Change-Id: I80252bd67413fd43ec205431e27697879b7e15a9
Closes-Bug: 1517210

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/15209
Committed: http://github.org/Juniper/contrail-controller/commit/9e109619e26e209fe962e539918c43a741bd7618
Submitter: Zuul
Branch: R2.20

commit 9e109619e26e209fe962e539918c43a741bd7618
Author: Nischal Sheth <email address hidden>
Date: Mon Nov 16 16:12:25 2015 -0800

Add verification for MP_REACH_NLRI nexthop address length field

Change-Id: I86571dba9948e9a91e59b01ed690d6e6a514aa49
Closes-Bug: 1517210

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.21.x

Review in progress for https://review.opencontrail.org/15325
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20

Review in progress for https://review.opencontrail.org/15326
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/15325
Committed: http://github.org/Juniper/contrail-controller/commit/998e58d7f947ddeea6ea575026849b7ab37d46ca
Submitter: Zuul
Branch: R2.21.x

commit 998e58d7f947ddeea6ea575026849b7ab37d46ca
Author: Nischal Sheth <email address hidden>
Date: Fri Nov 20 17:31:17 2015 -0800

Set error code/subcode for MP_REACH_NLRI nexthop address length

Change-Id: I936c7d5647201eab392d45789f1c468a32abaa67
Closes-Bug: 1517210

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/15326
Committed: http://github.org/Juniper/contrail-controller/commit/fa8aae537067448dc184a644c9d4c1f1b3c4ef50
Submitter: Zuul
Branch: R2.20

commit fa8aae537067448dc184a644c9d4c1f1b3c4ef50
Author: Nischal Sheth <email address hidden>
Date: Fri Nov 20 17:31:17 2015 -0800

Set error code/subcode for MP_REACH_NLRI nexthop address length

Change-Id: I936c7d5647201eab392d45789f1c468a32abaa67
Closes-Bug: 1517210

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.