FastNetMon Community Edition Out-of-Bounds Memory Access Vulnerability in BGP Attribute Parsing

A vulnerability in FastNetMon Community Edition versions through 1.2.9 allows for out-of-bounds memory access due to improper parsing of BGP path attributes with the extended length flag activated. The issue arises in the 'parse_raw_bgp_attribute()' function within 'src/bgp_protocol.hpp'. When the Extended Length bit is set, the parser correctly identifies that the length field should be two bytes but only reads one byte for the attribute value length. This misinterpretation truncates the length of attributes exceeding 255 bytes, leading to parsing errors and potential out-of-bounds memory access.

Impact

The vulnerability can cause out-of-bounds memory access, which may lead to memory corruption or exploitation. In this case, the BGP attribute parser misinterprets attribute lengths, causing parsing errors and allowing for phantom attributes that can disrupt routing decisions.

Reproduction

The vulnerability can be reproduced by sending BGP UPDATE messages with attributes that have the Extended Length bit set and are longer than 255 bytes. FastNetMon, when configured to receive BGP updates from a peer that sends such attributes, will misparse the length, leading to the described out-of-bounds access.