osrg GoBGP Off-by-One Vulnerability in BGP Decoding Function

An off-by-one vulnerability has been identified in osrg GoBGP versions prior to 4.3.0. This issue affects the `DecodeFromBytes` function in the BGP packet handling module. The vulnerability arises from an incorrect calculation of slice boundaries when extracting the Software Version string from a BGP OPEN capability payload. This miscalculation allows for remote exploitation, although such attacks are considered complex and difficult to execute.

Impact

Exploitation of this vulnerability leads to an off-by-one error in the BGP software version decoding, causing the parsed version string to be truncated. This creates a discrepancy between the encoded and decoded representations, potentially leading to further manipulation or exploitation.

Reproduction

The vulnerability can be reproduced by manipulating the `data` argument passed to the `DecodeFromBytes` function. This can be done by crafting a BGP OPEN message that includes a deliberately malformed Software Version string, such as one that is longer than expected or includes invalid characters. When this message is processed by GoBGP, the improper slice handling will truncate the version string, demonstrating the off-by-one error.

Remediation

Users are advised to update to GoBGP version 4.3.1 or later, where this vulnerability has been fixed.