diff options
author | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2019-09-09 03:13:35 +0200 |
---|---|---|
committer | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2019-09-09 03:13:35 +0200 |
commit | 8388f5a7e14108a1458fea35bfbb5a453e2c563c (patch) | |
tree | 9e97dc13229d2d750af50f75ff4b712a5d659dd3 | |
parent | 56d8b1e7f6252158caf0ecd3147376b858b16d97 (diff) |
BGP: Fix bugs in handling of shutdown messages
There is an improper check for valid message size, which may lead to
stack overflow and buffer leaks to log when a large message is received.
Thanks to Daniel McCarney for bugreport and analysis.
-rw-r--r-- | proto/bgp/packets.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c index 2b7ee1d0..4632e4ad 100644 --- a/proto/bgp/packets.c +++ b/proto/bgp/packets.c @@ -2959,7 +2959,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp) return 1; /* Handle proper message */ - if ((msg_len > 255) && (msg_len + 1 > len)) + if (msg_len + 1 > len) return 0; /* Some elementary cleanup */ @@ -2975,7 +2975,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp) void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, uint code, uint subcode, byte *data, uint len) { - byte argbuf[256], *t = argbuf; + byte argbuf[256+16], *t = argbuf; uint i; /* Don't report Cease messages generated by myself */ |