North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: prepending 2 bytes of zeros....

  • From: Bjoern A. Zeeb
  • Date: Mon Oct 24 14:49:26 2005

On Mon, 24 Oct 2005 [email protected] wrote something
 about "prepending 2 bytes of zeros....":


> I am greatful to Geoff for his consistant ability to get me interested in
> breaking things...   so, for the assembled mutlitude, what would the impact
> on various peers be if I was to change my orign AS (ok, so i'll have to
> change the router code on my end to support this) from

I'll assume you are talking about BGP.

> 	4554
> 	to
> 	00004554

actually these are 4 bytes of leading zeros because you are in decimal
but it's ok;)

How would you change the code?
"My Autonomous System" is an 2 octet unsigned integer and leading
zeros are of no value. So the number above still is 4554.

In case you'd hardcode that as 0x0000 0x11ca you'd overflow and depending
on your coding you my either overwrite "Hold Time" or generate some kind of
invalid packet with bad BGP Identifier and bad overall length (considering
"Opt Parm Length") or overwrite some of your local memory...

> Any ideas on how IOS (various flavors) will deal w/ this?  (yes, there is
> some lab work to do first, but i don' think there is a comprehensive enough
> lab to cover the full range of possibilities...)

Depending on what checks the code runs you should run into an error
one way or the other and not get back a NOTIFICATION message - if you
hard code those 32bit given above then you might get sth like subcode
2, 4 or 6. It should be treated like any other (specially crafted)
invalid packet.

Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT