A remote Denial of Service (DoS) vulnerability exists in GoBGP where a malformed BGP UPDATE message can trigger a runtime error: index out of range panic. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled.
The vulnerability is located in internal/pkg/table/message.go within the UpdatePathAttrs4ByteAs function.
When GoBGP processes a BGP UPDATE message containing both an AS_PATH and an AS4_PATH attribute, it attempts to merge or validate them to support 4-byte AS numbers. If the attributes are ordered such that AS4_PATH (Type 17) appears before AS_PATH (Type 2), and the AS4_PATH is deemed invalid/malformed, the code attempts to remove the AS4_PATH attribute from the msg.PathAttributes slice. It appears the crash happens due to an index shift in msg.PathAttributes:
#GoBGP v4.2.0
// Line 112: If AS4_PATH precedes AS_PATH, the deletion causes all subsequent attributes to shift left.
msg.PathAttributes = append(msg.PathAttributes[:as4AttrPos], msg.PathAttributes[as4AttrPos+1:]...)
// Line 206: The stale asAttrPos index is used here.
//The function continues to use the stale index (asAttrPos) to update the AS_PATH. Since the slice length has decreased, accessing the old index leads to a panic.
msg.PathAttributes[asAttrPos] = bgp.NewPathAttributeAsPath(newIntfParams)
This deletion causes all subsequent attributes in the slice to shift left by one position. However, the function continues to use the original asAttrPos index (calculated before the deletion) to access or modify the AS_PATH attribute later at Line 206. Because the slice is now shorter, the "stale" index points out of bounds, triggering a panic and crashing the entire GoBGP process.
Environment: * GoBGP version: 4.2.0 Configuration: Passive peering enabled....
4.3.0Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:H7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H