CVE-2007-1995

bgpd/bgp_attr.c in Quagga 0.98.6 and earlier, and 0.99.6 and earlier 0.99 versions, does not validate length values in the MP_REACH_NLRI and MP_UNREACH_NLRI attributes, which allows remote attackers to cause a denial of service (daemon crash or exit) via crafted UPDATE messages that trigger an assertion error or out of bounds read.

🔗 References (52)

• cve@mitrehttp://bugzilla.quagga.net/show_bug.cgi?id=354
• cve@mitrehttp://bugzilla.quagga.net/show_bug.cgi?id=355
• cve@mitrehttp://secunia.com/advisories/24808
• cve@mitrehttp://secunia.com/advisories/25084
• cve@mitrehttp://secunia.com/advisories/25119
• cve@mitrehttp://secunia.com/advisories/25255
• cve@mitrehttp://secunia.com/advisories/25293
• cve@mitrehttp://secunia.com/advisories/25312
• cve@mitrehttp://secunia.com/advisories/25428
• cve@mitrehttp://secunia.com/advisories/29743
• cve@mitrehttp://security.gentoo.org/glsa/glsa-200705-05.xml
• cve@mitrehttp://sunsolve.sun.com/search/document.do?assetkey=1-26-236141-1
• cve@mitrehttp://www.debian.org/security/2007/dsa-1293
• cve@mitrehttp://www.mandriva.com/security/advisories?name=MDKSA-2007:096
• cve@mitrehttp://www.novell.com/linux/security/advisories/2007_9_sr.html