search

wladwm / zettabgp

BGP & BMP Rust library
MIT License
13 stars 5 forks source link

panic in BmpMessage::decode_from #1

Closed yu-re-ka closed 1 year ago

yu-re-ka commented 1 year ago 
thread 'main' panicked at 'range end index 3 out of range for slice of length 1', /home/yuka/.cargo/registry/src/github.com-1ecc6299db9ec823/zettabgp-0.3.0/src/afi/ipv6.rs:158:40
stack backtrace:
   0: rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::slice::index::slice_end_index_len_fail_rt
   3: core::slice::index::slice_end_index_len_fail
   4: <core::ops::range::Range<usize> as core::slice::index::SliceIndex<[T]>>::index
             at /build/rustc-1.65.0-src/library/core/src/slice/index.rs:316:13
   5: core::slice::index::<impl core::ops::index::Index<I> for [T]>::index
             at /build/rustc-1.65.0-src/library/core/src/slice/index.rs:18:9
   6: zettabgp::afi::ipv6::BgpAddrV6::from_bits
             at /home/yuka/.cargo/registry/src/github.com-1ecc6299db9ec823/zettabgp-0.3.0/src/afi/ipv6.rs:158:40
   7: <zettabgp::afi::ipv6::BgpAddrV6 as zettabgp::afi::BgpItem<zettabgp::afi::ipv6::BgpAddrV6>>::extract_bits_from
             at /home/yuka/.cargo/registry/src/github.com-1ecc6299db9ec823/zettabgp-0.3.0/src/afi/ipv6.rs:198:9
   8: zettabgp::afi::decode_bgpitem_from
             at /home/yuka/.cargo/registry/src/github.com-1ecc6299db9ec823/zettabgp-0.3.0/src/afi/mod.rs:198:13
   9: zettabgp::afi::decode_bgpitems_from
             at /home/yuka/.cargo/registry/src/github.com-1ecc6299db9ec823/zettabgp-0.3.0/src/afi/mod.rs:205:20
  10: zettabgp::afi::BgpAddrs::decode_from
             at /home/yuka/.cargo/registry/src/github.com-1ecc6299db9ec823/zettabgp-0.3.0/src/afi/mod.rs:933:37
  11: zettabgp::message::attributes::multiproto::BgpMPUpdates::decode_from
             at /home/yuka/.cargo/registry/src/github.com-1ecc6299db9ec823/zettabgp-0.3.0/src/message/attributes/multiproto.rs:143:18
  12: zettabgp::message::attributes::BgpAttrItem::decode_from
             at /home/yuka/.cargo/registry/src/github.com-1ecc6299db9ec823/zettabgp-0.3.0/src/message/attributes/mod.rs:115:45
  13: <zettabgp::message::update::BgpUpdateMessage as zettabgp::BgpMessage>::decode_from
             at /home/yuka/.cargo/registry/src/github.com-1ecc6299db9ec823/zettabgp-0.3.0/src/message/update/mod.rs:162:29
  14: zettabgp::bmp::msgrmon::BmpMessageRouteMonitoring::decode_from
             at /home/yuka/.cargo/registry/src/github.com-1ecc6299db9ec823/zettabgp-0.3.0/src/bmp/msgrmon.rs:41:9
  15: zettabgp::bmp::BmpMessage::decode_from
             at /home/yuka/.cargo/registry/src/github.com-1ecc6299db9ec823/zettabgp-0.3.0/src/bmp/mod.rs:75:17
  16: fernglas::bmp_collector::run::{{closure}}::{{closure}}
             at ./src/bmp_collector.rs:61:33

The input:

00000000  03 00 00 00 8d 00 00 80  00 00 00 00 00 00 00 00  |................|
00000010  2a 0e b9 40 00 00 00 02  00 00 00 00 00 00 00 20  |*..@........... |
00000020  00 03 2e 0b 2d 8b 8a 14  63 bf ee a1 00 00 2a ff  |....-...c.....*.|
00000030  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff 00  |................|
00000040  5d 02 00 00 00 46 40 01  01 00 40 02 0a 02 02 00  |]....F@...@.....|
00000050  00 fd e9 00 00 fd e9 40  05 04 00 00 00 64 90 0e  |.......@.....d..|
00000060  00 2a 00 02 01 10 2a 0e  b9 40 00 00 00 02 00 00  |.*....*..@......|
00000070  00 00 00 00 00 12 00 00  00 00 07 80 2a 0e b9 40  |............*..@|
00000080  00 00 00 00 00 00 00 00  00 00 13 35              |...........5|
0000008c

proposed patch:


diff --git a/src/afi/ipv6.rs b/src/afi/ipv6.rs
index e7fec7c..374e5c6 100644
--- a/src/afi/ipv6.rs
+++ b/src/afi/ipv6.rs
@@ -138,7 +138,8 @@ impl BgpAddrV6 {
         self.addr.octets()[0] == 255
     }
     pub fn from_bits(bits: u8, buf: &[u8]) -> Result<(BgpAddrV6, usize), BgpError> {
-        if bits > 128 {
+        let bytes = ((bits + 7) / 8) as usize;
+        if bits > 128 || buf.len() < bytes {
             return Err(BgpError::from_string(format!(
                 "Invalid FEC length: {:?}",
                 bits
@@ -154,7 +155,6 @@ impl BgpAddrV6 {
                 0,
             ));
         }
-        let bytes = ((bits + 7) / 8) as usize;
         bf[0..bytes].clone_from_slice(&buf[0..bytes]);
         Ok((
             BgpAddrV6 {
yu-re-ka commented 1 year ago

https://github.com/wobcom/zettabgp/commit/0247d7531e323b17c11ac2ea860860820afefb18

wladwm commented 1 year ago

Hi.

Thank you very much. Could you please clarify what device/OS makes such data?

yu-re-ka commented 1 year ago

Juniper mx204, Junos 21.3R2-S1.2 via BMP

wladwm commented 1 year ago

This trouble occurs because update messages contains addpath. Now it will try to detect addpath presence by leading zeros on NLRI when no known OPEN messages and will use transit OPEN messages to correct use capability set. Could you please check updated software to reproduce bug?

yu-re-ka commented 1 year ago

Wow this is wonderful, it works and the add-path routes also arrive. Thank you!

Can you also apply the panic fix to the ipv4 decoding, just in case?

wladwm commented 1 year ago

Done!