The Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes.
This issue can be triggered by an optional/transitive UPDATE attribute, that all conforming eBGP speakers should pass along. This means this may triggerable in many affected Quagga bgpd processes across a wide area of a network, because of just one UPDATE message.
This issue could result in a crash of bgpd, or even allow a remote attacker to gain control of an affected bgpd process.
All versions are likely affected.
Name: the Quagga project
Created attachment 1392685 [details]
Glibc's heap protection mitigations render this issue more difficult to exploit, though bypasses may still be possible.
Created quagga tracking bugs for this issue:
Affects: fedora-all [bug 1546008]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:0377 https://access.redhat.com/errata/RHSA-2018:0377