Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple crash found by fuzzing #2708

Closed
0x34d opened this issue Sep 19, 2023 · 4 comments · Fixed by #2733
Closed

Multiple crash found by fuzzing #2708

0x34d opened this issue Sep 19, 2023 · 4 comments · Fixed by #2733

Comments

@0x34d
Copy link
Contributor

0x34d commented Sep 19, 2023

PR: #2707

1

file: gobgp/pkg/packet/rtr/rtr_test.go

func TestParseRTRbug(t *testing.T) {
	ParseRTR([]byte("0\x0400000000"))
}

run: go test -run TestParseRTRbug $(pwd)/pkg/packet/rtr

backtrace:

--- FAIL: TestParseRTRbug (0.00s)
panic: runtime error: index out of range [10] with length 10 [recovered]
	panic: runtime error: index out of range [10] with length 10

goroutine 6 [running]:
testing.tRunner.func1.2({0x6439e0, 0xc00001e390})
	/usr/lib/golang/src/testing/testing.go:1526 +0x24e
testing.tRunner.func1()
	/usr/lib/golang/src/testing/testing.go:1529 +0x39f
panic({0x6439e0, 0xc00001e390})
	/usr/lib/golang/src/runtime/panic.go:884 +0x213
github.com/osrg/gobgp/v3/pkg/packet/rtr.(*RTRIPPrefix).DecodeFromBytes(0x10?, {0xc00001a960?, 0xc00001a960?, 0x0?})
	/home/legion/0x34d/gobgp/pkg/packet/rtr/rtr.go:217 +0x18c
github.com/osrg/gobgp/v3/pkg/packet/rtr.ParseRTR({0xc00001a960, 0xa, 0xa})
	/home/legion/0x34d/gobgp/pkg/packet/rtr/rtr.go:390 +0x138
github.com/osrg/gobgp/v3/pkg/packet/rtr.TestParseRTRbug(0x0?)
	/home/legion/0x34d/gobgp/pkg/packet/rtr/rtr_test.go:127 +0x45
testing.tRunner(0xc0000d0820, 0x686448)
	/usr/lib/golang/src/testing/testing.go:1576 +0x10b
created by testing.(*T).Run
	/usr/lib/golang/src/testing/testing.go:1629 +0x3ea
FAIL	github.com/osrg/gobgp/v3/pkg/packet/rtr	0.008s
FAIL
@0x34d
Copy link
Contributor Author

0x34d commented Sep 19, 2023

2

file: gobgp/pkg/packet/bgp/bgp_test.go

func TestParseBGPMessage(t *testing.T) {
	ParseBGPMessage([]byte("0000000000000000\x000\x01000000000\x12\x02\nI0000000000000000"))
}

run: go test -run TestParseBGPMessage $(pwd)/pkg/packet/bgp

backtrace:

--- FAIL: TestParseBGPMessage (0.00s)
panic: runtime error: slice bounds out of range [:49] with capacity 15 [recovered]
	panic: runtime error: slice bounds out of range [:49] with capacity 15

goroutine 6 [running]:
testing.tRunner.func1.2({0x798200, 0xc00002c3c0})
	/usr/lib/golang/src/testing/testing.go:1526 +0x24e
testing.tRunner.func1()
	/usr/lib/golang/src/testing/testing.go:1529 +0x39f
panic({0x798200, 0xc00002c3c0})
	/usr/lib/golang/src/runtime/panic.go:884 +0x213
github.com/osrg/gobgp/v3/pkg/packet/bgp.(*CapFQDN).DecodeFromBytes(0x51a394?, {0xc0000301ff?, 0x51a360?, 0xc0000705b8?})
	/home/legion/0x34d/gobgp/pkg/packet/bgp/bgp.go:1018 +0x265
github.com/osrg/gobgp/v3/pkg/packet/bgp.DecodeCapability({0xc0000301ff, 0xa, 0x11})
	/home/legion/0x34d/gobgp/pkg/packet/bgp/bgp.go:1163 +0x222
github.com/osrg/gobgp/v3/pkg/packet/bgp.(*OptionParameterCapability).DecodeFromBytes(0xc00007e5a0, {0xc0000301ff?, 0x799640?, 0x519e6f?})
	/home/legion/0x34d/gobgp/pkg/packet/bgp/bgp.go:1182 +0xd1
github.com/osrg/gobgp/v3/pkg/packet/bgp.(*BGPOpen).DecodeFromBytes(0xc00009af40, {0xc0000301f3?, 0x86b62f?, 0xc0000706f8?}, {0x40f86a?, 0x26?, 0x59a?})
	/home/legion/0x34d/gobgp/pkg/packet/bgp/bgp.go:1273 +0x295
github.com/osrg/gobgp/v3/pkg/packet/bgp.parseBody(0xc000070700, {0xc0000301f3, 0x1d, 0x1d}, {0x0, 0x0, 0x0})
	/home/legion/0x34d/gobgp/pkg/packet/bgp/bgp.go:14637 +0x297
github.com/osrg/gobgp/v3/pkg/packet/bgp.ParseBGPMessage({0xc0000301e0, 0x30, 0x30}, {0x0, 0x0, 0x0})
	/home/legion/0x34d/gobgp/pkg/packet/bgp/bgp.go:14652 +0x1ff
github.com/osrg/gobgp/v3/pkg/packet/bgp.TestParseBGPMessage(0x0?)
	/home/legion/0x34d/gobgp/pkg/packet/bgp/bgp_test.go:3734 +0x6e
testing.tRunner(0xc0000de820, 0x7eb588)
	/usr/lib/golang/src/testing/testing.go:1576 +0x10b
created by testing.(*T).Run
	/usr/lib/golang/src/testing/testing.go:1629 +0x3ea
FAIL	github.com/osrg/gobgp/v3/pkg/packet/bgp	0.007s
FAIL

@0x34d 0x34d mentioned this issue Oct 16, 2023
Closed
fujita added a commit to fujita/gobgp that referenced this issue Oct 31, 2023
@fujita
packet: fix FQDN capability parser
1df0dd1 
Fixes osrg#2708
@fujita fujita mentioned this issue Oct 31, 2023
Merged
@fujita fujita closed this as completed in e26631c Oct 31, 2023
@fujita
Copy link
Member

fujita commented Oct 31, 2023

Fixed the second bug. Thanks for the report!

@GoldBinocle
Copy link

GoldBinocle commented Oct 31, 2023
edited
Loading

Is "0000000000000000\x000\x01000000000\x12\x02\nI0000000000000000" hexstream of BGP? It seems not. What is it?

@fujita
Copy link
Member

fujita commented Oct 31, 2023

random bytes? However, GoBGP thought it was an Open Message and crashed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

packet: fix FQDN capability parser fujita/gobgp
3 participants
@fujita @0x34d @GoldBinocle