BGP Mishandled attribute length on Error

A vulnerability exists in the BGP daemon of FRR where a malformed BGP UPDATE packet can leak information from the BGP daemon and cause a denial of service by crashing the daemon.



Document Version:


Posting date:

Nov 8, 2017

Program Impacted:

FRRouting “FRR” (bgpd) on any platforms. Use of FRR without running the BGP daemon is not affected.

Versions affected:

All Versions of FRR






All versions of FRR (2.0, 3.0, 3.1) are vulnerable to a remote crafted BGP UPDATE packet with a malformed path attribute length field.

When returning the malformed attribute to the UPDATE sender in the data field of a NOTIFICATION message, the malformed length field is used to compute the amount of data returned. This can result in a heap buffer overflow, allowing an attacker to read up to 4075 bytes of bgpd program heap, including the intended contents of the malformed attribute.

Leaked information is likely to include portions of previous messages received from the requester as well as random heap values. Denial of service via program crash resulting from out of bounds reads is also a possibility. The leaked data is restricted to data from the BGP daemon.

In order to exploit this flaw an attacker must be able to successfully establish a BGP peering to the target. (The attacker must be able to establish a BGP session first)

CVSS v3 Base Score: 5.0

CVSS Equation:

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:F/RL:O/RC:C


None. However, the attacker must have access to a system with a configured BGP neighbor.

Active exploits:

None known in the public at this time. An internal functional exploit code exists.

Impacted Versions:


Upgrade to FRR 2.0.2 if you are running < 2.0.2 or upgrade to 3.0.2 for FRR versions 3.0.x. Updated packages are available at or upgrade to latest GIT Master version

Document Revision History:


The issue was uncovered by Quentin Young at Cumulus Networks


Do you have Questions?

Questions regarding this advisory should go to