- 
                Notifications
    You must be signed in to change notification settings 
- Fork 722
Add boundary checks to prevent memory safety issues in BgpLayer::getHeaderLen #1954
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add boundary checks to prevent memory safety issues in BgpLayer::getHeaderLen #1954
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm unsure why the CI has a failure on checkout on windows. :/
| 
 I think the error is that Windows can't contain  | 
| Codecov Report❌ Patch coverage is  
 Additional details and impacted files@@            Coverage Diff             @@
##              dev    #1954      +/-   ##
==========================================
- Coverage   83.41%   83.38%   -0.03%     
==========================================
  Files         311      311              
  Lines       55002    55034      +32     
  Branches    12098    11958     -140     
==========================================
+ Hits        45878    45892      +14     
- Misses       7889     8257     +368     
+ Partials     1235      885     -350     
 Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
 | 
        
          
                Packet++/src/Layer.cpp
              
                Outdated
          
        
      | if (m_Data - m_Packet->m_RawPacket->getRawData() + static_cast<ptrdiff_t>(offsetInLayer) > | ||
| static_cast<ptrdiff_t>(m_Packet->m_RawPacket->getRawDataLen())) | ||
| { | ||
| PCPP_LOG_ERROR("Requested offset is larger than total packet length"); | ||
| return false; | ||
| } | ||
|  | ||
| if (m_NextLayer != nullptr && static_cast<ptrdiff_t>(offsetInLayer) > m_NextLayer->m_Data - m_Data) | ||
| { | ||
| PCPP_LOG_ERROR("Requested offset exceeds current layer's boundary"); | ||
| return false; | ||
| } | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are these checks needed? All we need to check is that offsetInLayer is within the layer's boundary, which means it is smaller than or equal to m_DataLen. Why do we need to compare it to the whole packet or involve m_NextLayer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Length-related errors introduced during layer shortening can result in the same sanitizer issues when the layer is later extended
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I understand... can you elaborate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to say that problems with m_DataLen not matching the actual layer length and the length from the bgp_common_header, as in the examples below, can lead to problems with exceeding the boundaries of the layer or packet during extension.
        
          
                Packet++/src/Layer.cpp
              
                Outdated
          
        
      | if (m_Data - m_Packet->m_RawPacket->getRawData() + static_cast<ptrdiff_t>(offsetInLayer) + | ||
| static_cast<ptrdiff_t>(numOfBytesToShorten) > | ||
| static_cast<ptrdiff_t>(m_Packet->m_RawPacket->getRawDataLen())) | ||
| { | ||
| PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than total packet length"); | ||
| return false; | ||
| } | ||
|  | ||
| if (m_NextLayer != nullptr && | ||
| static_cast<ptrdiff_t>(offsetInLayer) + static_cast<ptrdiff_t>(numOfBytesToShorten) > | ||
| m_NextLayer->m_Data - m_Data) | ||
| { | ||
| PCPP_LOG_ERROR("Requested number of bytes to shorten exceeds current layer's boundary"); | ||
| return false; | ||
| } | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I analyzed several malformed packets that triggered sanitizer errors, and identified some of the root causes.
When iterating over layers during recalculation after shortening a layer, the pointer to the next layer is computed as dataPtr (current layer pointer) + headerLen. For BGP, headerLen corresponds either to the length field of the bgp_common_header structure or to the actual layer length m_DataLen — whichever is smaller. In malformed packets, the header length may not match the actual layer length, or may contain arbitrary values (possibly due to previous incorrect shortening or extension), which can lead to several issues
- 
numOfBytesToShortenis subtracted from them_DataLenof all layers preceding the shortened one. IfnumOfBytesToShortenis greater thanm_DataLen, this causesm_DataLento wrap around, resulting in an extremely large value. In such cases, when calculatingheaderLen, the header field is selected, which may be invalid, leading to out-of-bounds memory access.
- 
In the shortened layer, numOfBytesToShortenis first subtracted fromm_DataLen, then again fromheaderLen.BgpLayer::getHeaderLen()returns newm_DataLenas the smallest, which results innumOfBytesToShortenbeing subtracted twice, potentially producing a negative value.
I believe headerLen calculation could be moved before updating the current layer’s m_DataLen. However, this would not resolve the issue described in the next point.
- Malformed packets may also contain nested BGP layers, which is inherently invalid and can trigger the errors described earlier.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
numOfBytesToShortenis subtracted from them_DataLenof all layers preceding the shortened one. IfnumOfBytesToShortenis greater thanm_DataLen
How can numOfBytesToShorten be greater than m_DataLen? 🤔
- In the shortened layer,
numOfBytesToShortenis first subtracted fromm_DataLen, then again fromheaderLen.BgpLayer::getHeaderLen()returns newm_DataLenas the smallest, which results innumOfBytesToShortenbeing subtracted twice, potentially producing a negative value.
I believe this is only relevant to the changes in Packet.cpp, right?
- Malformed packets may also contain nested BGP layers, which is inherently invalid and can trigger the errors described earlier.
By nested BPG layers, do you mean a BGP layer that comes after another BGP layer? If yes, this is actually a valid scenario that we support:
PcapPlusPlus/Packet++/src/BgpLayer.cpp
Line 80 in 32384c2
| void BgpLayer::parseNextLayer() | 
What's the issue in this case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How can numOfBytesToShorten be greater than m_DataLen? 🤔
I'll try to explain with an example. The diagrams show the packet layout in memory. Each dot represents the start of a layer, layer addresses are represented by the last two bytes, and for some points I've calculated the actual offset from the beginning of the packet for clarity.

Let's consider a packet from the file *d94f8b  from regression_samples before shortening that caused sanitizer error.
The fragment that should be removed is highlighted in bold (atIndex = 148, numOfBytesToShorten = 46).
The first thing that stands out is that it gets to the next layer. Simply adding a check like (size_t)offsetInLayer + numOfBytesToShorten >= m_DataLen won't be sufficient in this case, because m_DataLen of BGP layers doesn't match the actual layer size in memory:
102 - 66 = 36, but DataLen = 95
183 - 125 = 58, but DataLen = 73
However, the error doesn't occur because of this. After removing the fragment, m_DataLen of previous layers is recalculated according to the condition:
if (!passedExtendedLayer)
    curLayer->m_DataLen -= numOfBytesToShorten;
Since the layer at address afe6 has length of 23, subtracting 46 causes an overflow. The headerLen is taken from the bgp_common_header structure (which is 907 in this case), dataPtr points beyond the packet boundaries, and subsequent call to BgpLayer::getHeaderLen() results in a heap-buffer-overflow error.
By nested BPG layers, do you mean a BGP layer that comes after another BGP layer?
I mean BGP layers where one layer is inside another, i.e. in the BGP payload there is another BGP layer.
For example, in file *d6be97 the following situation occurs:
 
I believe this is only relevant to the changes in Packet.cpp, right?
If you mean moving the calculation of headerLen, then yes, this applies to changes in Packet.cpp.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the thorough and detailed explanation, much appreciated! 🙏
I have 2 follow-up questions:
- Since the fixes are within extendLayer()andshortenLayer()I assume you found them when trying to edit packets, is that correct? As far as I know, our regression tests don't edit packets, so the files you added toTests/Fuzzers/RegressionTests/regression_samplesdon't actually test the scenario being fixed
- Is there any way to make these fixes inside BgpLayeror do they have to beLayerandPacket?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- This PR addresses bug fix [Bug]: Heap-Use-After-Free and Heap-Buffer-Overflow in
BgpLayer::getHeaderLen()#1864, and the files added to regression_samples are poc files that triggered sanitizer errors. I can write additional tests if needed
I apologize, our fuzz tests do modify packets:
PcapPlusPlus/Tests/Fuzzers/FuzzTarget.cpp
Line 66 in 32384c2
| readParsedPacket(parsedPacket, layer); | 
So adding these files should be ok.
BTW, did you have a chance to run these files before the fix and they failed?
2. As for the BGP layer, I believe the following checks could be implemented
What I meant is fix BgpOpenMessageLayer::setOptionalParameters to disallow calling shortenLayer and extendLayer if the packet data is invalid. Would it fix the issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BTW, did you have a chance to run these files before the fix and they failed?
Yes, each of these files triggered a sanitizer error (heap-buffer-overflow or heap-use-after-free) when calling pcpp::BgpLayer::getHeaderLen() on the problematic layer.
What I meant is fix
BgpOpenMessageLayer::setOptionalParametersto disallow callingshortenLayerandextendLayerif the packet data is invalid.
The checks could be moved into the BGP layer. To do that, they’d need to be extracted into a separate helper method, since shortenLayer/extendLayer can be called from:
- BgpOpenMessageLayer::setOptionalParameters
- BgpUpdateMessageLayer::setWithdrawnRoutes
- BgpUpdateMessageLayer::setPathAttributes
- BgpUpdateMessageLayer::setNetworkLayerReachabilityInfo
- BgpNotificationMessageLayer::setNotificationData
Also, shortenLayer/extendLayer are used by other protocols as well, so similar issues could potentially appear there too.
At the very least, it makes sense to keep in shortenLayer a check to ensure the number of bytes being removed doesn’t exceed the layer’s length:
(size_t)offsetInLayer + numOfBytesToShorten > m_DataLen
And it would be better to move the headerLen calculation before updating the current layer m_DataLen, to avoid double subtraction.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR fixes the issue in setNetworkLayerReachabilityInfo 🙂
I think we can do the same for the rest of the setters in BPG layer. In general, we typically try to fix bugs where they occur, so lower-level methods such as shortenLayer and extendLayer don't receive "garbage data".
At the very least, it makes sense to keep in
shortenLayera check to ensure the number of bytes being removed doesn’t exceed the layer’s length
I guess we can do that, sure 👍
I'd only keep this check and remove the rest
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, we’re keeping the check for the number of bytes being removed in Layer.cpp, and moving the rest into the BGP layer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think we can keep this specific check, but fix the real issue in the setters of BGP layer
        
          
                Packet++/src/Packet.cpp
              
                Outdated
          
        
      | if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen()) | ||
| break; | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How can such a thing happen? curLayer->getHeaderLen() should never exceed the packet data, unless we have a bug in one of the layers
        
          
                Packet++/src/Packet.cpp
              
                Outdated
          
        
      | if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen()) | ||
| break; | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
- Calculate headerLen before updating m_DataLen to avoid double subtraction - Move dataPtr validation to beginning of loop and add log message
…gpLayer.cpp - Add two validation methods in BgpLayer.cpp: isValidShortenRange and isValidExtendRange - Perform validation before each extendLayer/shortenLayer call
075bb45    to
    e9d3792      
    Compare
  
            
          
                Packet++/src/Packet.cpp
              
                Outdated
          
        
      |  | ||
| // assuming header length of the layer that requested to be extended hasn't been enlarged yet | ||
| size_t headerLen = curLayer->getHeaderLen() - (curLayer == layer ? numOfBytesToShorten : 0); | ||
| // size_t headerLen = curLayer->getHeaderLen() - (curLayer == layer ? numOfBytesToShorten : 0); | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we remove this commented-out line?
        
          
                Packet++/src/BgpLayer.cpp
              
                Outdated
          
        
      | } | ||
| } | ||
|  | ||
| bool BgpLayer::isValidExtendRange(int offsetInLayer, size_t numOfBytesToExtend) const | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The numOfBytesToExtend param isn't used, do we need it?
        
          
                Packet++/src/BgpLayer.cpp
              
                Outdated
          
        
      | int rawPacketLen = m_Packet->getRawPacket()->getRawDataLen(); | ||
| const uint8_t* rawPacketPtr = m_Packet->getRawPacket()->getRawData(); | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
m_Packet doesn't necessarily exist. It could be nullptr if the layer is initialized without a packet
        
          
                Packet++/src/BgpLayer.cpp
              
                Outdated
          
        
      | int rawPacketLen = m_Packet->getRawPacket()->getRawDataLen(); | ||
| const uint8_t* rawPacketPtr = m_Packet->getRawPacket()->getRawData(); | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
…r and BgpLayer::shortenLayer Add m_Packet != nullptr check to prevent nullptr dereference
| Thank you @danasana for working on this fix, much appreciated! 🙏 | 
Closes #1864
This PR fixes heap-use-after-free and heap-buffer-overflow issues in BgpLayer::getHeaderLen(), reported by AddressSanitizer when extending or shortening the BGP layer
Added boundary checks to ensure that requested offsets and lengths do not exceed:
Added regression_samples