Red Hat Bugzilla – Bug 107140
CAN-2003-0795 Remote DoS in zebra
Last modified: 2014-08-31 19:25:28 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5b) Gecko/20030831
Description of problem:
A remote DoS condition exists in zebra when layer 3 access is possible to the
telnet management port (2601/tcp).
By sending a telnet option delimiter with no actual option data, zebra will make
a bad memory call and SIGSEV.
Have tested/confirmed against all zebra versions from 0.90a to 0.93b.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Run zebra on a machine.
2. From another machine run: printf '\xff\xf0\xff\xf0\xff\xf0' | nc <zebra-host>
3. zebra dies.
Actual Results: Routing daemon goes boom :(
Expected Results: Zebra should handle this condition.
Program received signal SIGSEGV, Segmentation fault.
0x08051db8 in vty_telnet_option (vty=0x80855b0, buf=0x0, nbytes=452) at vty.c:1141
1141 char *buffer = (char *)vty->sb_buffer->head->data;
#0 0x08051db8 in vty_telnet_option (vty=0x80855b0, buf=0x0, nbytes=452) at
#1 0x08051fb5 in vty_read (thread=0xbfffe7ac) at vty.c:1289
#2 0x08058ab0 in thread_call (thread=0xbfffea30) at thread.c:627
#3 0x0804b4e0 in main (argc=0, argv=0xbfffea30) at main.c:310
#4 0x420156a4 in __libc_start_main () from /lib/tls/libc.so.6
I've assigned CAN-2003-0795 to track this issue
Errata is in progress with a patch to correct this issue, will be
An errata has been issued which should help the problem described in this bug report.
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen
this bug report if the solution does not work for you.
This bug doesnt only affect port 2601 (zebra itself) but rather all
ports zebra listens on (2605/bgpd for example), too.
adding the option "-A 127.0.0.1" to your daemon's startscripts will
prevent connections from the outside.
Please note that -A option is largely broken on Zebra v0.93b, see
zebra.patch on http://cvs.openpkg.org/chngview?cn=11017