system/5052: abend in bgpd

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

system/5052: abend in bgpd

Pete Vickers
>Number:         5052
>Category:       system
>Synopsis:       bgpd crashes when fed junk in its control socket
>Confidential:   yes
>Severity:       non-critical
>Priority:       low
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Mar 12 20:10:02 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Pete Vickers
>Release:        3.9-current
>Organization:
systemnet
>Environment:
       
        System      : OpenBSD 3.9
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:
I'm playing with distrubing spam blacklists via bgp with my net. I have a route server which I load up with spam hosts gleened from spam blacklists, and then routers can peer with the route server and dynmaically aquire the blacklist(s).
I fed bgpd something stupid via it's control socket (admittedly as root) and bgpd crashed, which I think should be protected against.
>How-To-Repeat:
 fire up bgpd, then run:  #lynx -dump -dont_wrap_pre www.openbsd.org/spamd/spews_list_level1.txt.gz | awk ' /^[0-9]+/ {  while ( "bgpctl network add $1" | getline ) print } ' as superuser
>Fix:
        bgpd should probably validate input before processing it... and I should write better shell scripts to feed bgpd correctly.


>Release-Note:
>Audit-Trail:
>Unformatted:

Reply | Threaded
Open this post in threaded view
|

Re: system/5052: abend in bgpd

Claudio Jeker-3
The following reply was made to PR system/5052; it has been noted by GNATS.

From: Claudio Jeker <[hidden email]>
To: [hidden email]
Cc: [hidden email], Henning Brauer <[hidden email]>
Subject: Re: system/5052: abend in bgpd
Date: Sun, 12 Mar 2006 22:10:26 +0100

 On Sun, Mar 12, 2006 at 07:52:27PM +0100, [hidden email] wrote:
 > >Number:         5052
 > >Category:       system
 > >Synopsis:       bgpd crashes when fed junk in its control socket
 > >Confidential:   yes
 > >Severity:       non-critical
 > >Priority:       low
 > >Responsible:    bugs
 > >State:          open
 > >Quarter:        
 > >Keywords:      
 > >Date-Required:
 > >Class:          sw-bug
 > >Submitter-Id:   net
 > >Arrival-Date:   Sun Mar 12 20:10:02 GMT 2006
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Pete Vickers
 > >Release:        3.9-current
 > >Organization:
 > systemnet
 > >Environment:
 >
 > System      : OpenBSD 3.9
 > Architecture: OpenBSD.i386
 > Machine     : i386
 > >Description:
 > I'm playing with distrubing spam blacklists via bgp with my net. I have a route server which I load up with spam hosts gleened from spam blacklists, and then routers can peer with the route server and dynmaically aquire the blacklist(s).
 > I fed bgpd something stupid via it's control socket (admittedly as root) and bgpd crashed, which I think should be protected against.
 > >How-To-Repeat:
 >  fire up bgpd, then run:  #lynx -dump -dont_wrap_pre www.openbsd.org/spamd/spews_list_level1.txt.gz | awk ' /^[0-9]+/ {  while ( "bgpctl network add $1" | getline ) print } ' as superuser
 > >Fix:
 >         bgpd should probably validate input before processing it... and I should write better shell scripts to feed bgpd correctly.
 >
 >
 > >Release-Note:
 > >Audit-Trail:
 > >Unformatted:
 >
 
 Could you try the following diff? This seems to fix the problem for me.
 
 --
 :wq Claudio
 
 Index: rde.c
 ===================================================================
 RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
 retrieving revision 1.200
 diff -u -p -r1.200 rde.c
 --- rde.c 10 Feb 2006 14:34:40 -0000 1.200
 +++ rde.c 12 Mar 2006 21:05:52 -0000
 @@ -343,7 +343,22 @@ rde_dispatch_imsg_session(struct imsgbuf
  break;
  }
  session_set = NULL;
 - network_add(&netconf_s, 0);
 + switch (netconf_s.prefix.af) {
 + case AF_INET:
 + if (netconf_s.prefixlen > 32)
 + goto badnet;
 + network_add(&netconf_s, 0);
 + break;
 + case AF_INET6:
 + if (netconf_s.prefixlen > 128)
 + goto badnet;
 + network_add(&netconf_s, 0);
 + break;
 + default:
 +badnet:
 + log_warnx("rde_dispatch: bad network");
 + break;
 + }
  break;
  case IMSG_NETWORK_REMOVE:
  if (imsg.hdr.len - IMSG_HEADER_SIZE !=

Reply | Threaded
Open this post in threaded view
|

Re: system/5052: abend in bgpd

Pete Vickers
In reply to this post by Pete Vickers
The following reply was made to PR system/5052; it has been noted by GNATS.

From: Pete Vickers <[hidden email]>
To: Claudio Jeker <[hidden email]>
Cc: [hidden email], Henning Brauer <[hidden email]>
Subject: Re: system/5052: abend in bgpd
Date: Sun, 12 Mar 2006 22:32:31 +0100

 On 12. mar. 2006, at 22.10, Claudio Jeker wrote:
 
 > On Sun, Mar 12, 2006 at 07:52:27PM +0100, [hidden email] wrote:
 >>> Number:         5052
 >>> Category:       system
 >>> Synopsis:       bgpd crashes when fed junk in its control socket
 >>> Confidential:   yes
 >>> Severity:       non-critical
 >>> Priority:       low
 >>> Responsible:    bugs
 >>> State:          open
 >>> Quarter:
 >>> Keywords:
 >>> Date-Required:
 >>> Class:          sw-bug
 >>> Submitter-Id:   net
 >>> Arrival-Date:   Sun Mar 12 20:10:02 GMT 2006
 >>> Closed-Date:
 >>> Last-Modified:
 >>> Originator:     Pete Vickers
 >>> Release:        3.9-current
 >>> Organization:
 >> systemnet
 >>> Environment:
 >>
 >> System      : OpenBSD 3.9
 >> Architecture: OpenBSD.i386
 >> Machine     : i386
 >>> Description:
 >> I'm playing with distrubing spam blacklists via bgp with my net. I  
 >> have a route server which I load up with spam hosts gleened from  
 >> spam blacklists, and then routers can peer with the route server  
 >> and dynmaically aquire the blacklist(s).
 >> I fed bgpd something stupid via it's control socket (admittedly as  
 >> root) and bgpd crashed, which I think should be protected against.
 >>> How-To-Repeat:
 >>  fire up bgpd, then run:  #lynx -dump -dont_wrap_pre  
 >> www.openbsd.org/spamd/spews_list_level1.txt.gz | awk ' /^[0-9]+/  
 >> {  while ( "bgpctl network add $1" | getline ) print } ' as superuser
 >>> Fix:
 >>         bgpd should probably validate input before processing  
 >> it... and I should write better shell scripts to feed bgpd correctly.
 >>
 >>
 >>> Release-Note:
 >>> Audit-Trail:
 >>> Unformatted:
 >>
 >
 > Could you try the following diff? This seems to fix the problem for  
 > me.
 >
 > --
 > :wq Claudio
 >
 > Index: rde.c
 > ===================================================================
 > RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
 > retrieving revision 1.200
 > diff -u -p -r1.200 rde.c
 > --- rde.c 10 Feb 2006 14:34:40 -0000 1.200
 > +++ rde.c 12 Mar 2006 21:05:52 -0000
 > @@ -343,7 +343,22 @@ rde_dispatch_imsg_session(struct imsgbuf
 >   break;
 >   }
 >   session_set = NULL;
 > - network_add(&netconf_s, 0);
 > + switch (netconf_s.prefix.af) {
 > + case AF_INET:
 > + if (netconf_s.prefixlen > 32)
 > + goto badnet;
 > + network_add(&netconf_s, 0);
 > + break;
 > + case AF_INET6:
 > + if (netconf_s.prefixlen > 128)
 > + goto badnet;
 > + network_add(&netconf_s, 0);
 > + break;
 > + default:
 > +badnet:
 > + log_warnx("rde_dispatch: bad network");
 > + break;
 > + }
 >   break;
 >   case IMSG_NETWORK_REMOVE:
 >   if (imsg.hdr.len - IMSG_HEADER_SIZE !=
 
 
 Hi,
 
 now I get:
 
 $ tail /var/log/daemon
 Mar 12 22:29:53 dev bgpd[3875]: rde_dispatch: bad network
 
 much healthier :) thanks for ultra quick response.
 
 /Pete