diff options
| author | Ondrej Zajicek <santiago@crfreenet.org> | 2010-07-22 15:09:35 +0200 |
|---|---|---|
| committer | Ondrej Zajicek <santiago@crfreenet.org> | 2010-08-03 10:34:32 +0200 |
| commit | 1a35a27b64ce2cbef0eb71d874fe41d9b240a2d8 (patch) | |
| tree | 5916bd32b562ed0f79dfcf4f22aa47f8dd6b1a4a | |
| parent | 9472efaa571c44e67e24f1854bb91382977ad339 (diff) | |
Fixes a buffer overflow in TX code of IPv6 BGP.
| -rw-r--r-- | nest/rt-table.c | 2 | ||||
| -rw-r--r-- | proto/bgp/packets.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/nest/rt-table.c b/nest/rt-table.c index 8cca42a7..26769f13 100644 --- a/nest/rt-table.c +++ b/nest/rt-table.c @@ -343,7 +343,7 @@ rte_validate(rte *e) int c; net *n = e->net; - if (ipa_nonzero(ipa_and(n->n.prefix, ipa_not(ipa_mkmask(n->n.pxlen))))) + if ((n->n.pxlen > BITS_PER_IP_ADDRESS) || !ip_is_prefix(n->n.prefix,n->n.pxlen)) { log(L_BUG "Ignoring bogus prefix %I/%d received via %s", n->n.prefix, n->n.pxlen, e->sender->name); diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c index 1e9d6465..e361c4e9 100644 --- a/proto/bgp/packets.c +++ b/proto/bgp/packets.c @@ -219,7 +219,7 @@ bgp_encode_prefixes(struct bgp_proto *p, byte *w, struct bgp_bucket *buck, unsig ip_addr a; int bytes; - while (!EMPTY_LIST(buck->prefixes) && remains >= 5) + while (!EMPTY_LIST(buck->prefixes) && remains >= (1+sizeof(ip_addr))) { struct bgp_prefix *px = SKIP_BACK(struct bgp_prefix, bucket_node, HEAD(buck->prefixes)); DBG("\tDequeued route %I/%d\n", px->n.prefix, px->n.pxlen); |