diff options
| author | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2019-09-09 03:48:27 +0200 |
|---|---|---|
| committer | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2019-09-09 03:49:35 +0200 |
| commit | 1657c41c96b3c07d9265b07dd4912033ead4124b (patch) | |
| tree | 11284c5d955db7d28a4cb2b3197880292bd0cca1 | |
| parent | 7300d79be91962e52c678c179e3b81a874a66673 (diff) | |
BGP: Fix bugs in handling of shutdown messages
There is an improper check for valid message size, which may lead to
stack overflow and buffer leaks to log when a large message is received.
Thanks to Daniel McCarney for bugreport and analysis.
| -rw-r--r-- | proto/bgp/packets.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c index 1f93cf56..eee47dea 100644 --- a/proto/bgp/packets.c +++ b/proto/bgp/packets.c @@ -1539,7 +1539,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp) return 1; /* Handle proper message */ - if ((msg_len > 255) && (msg_len + 1 > len)) + if (msg_len + 1 > len) return 0; /* Some elementary cleanup */ @@ -1555,7 +1555,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp) void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsigned subcode, byte *data, unsigned len) { - byte argbuf[256], *t = argbuf; + byte argbuf[256+16], *t = argbuf; unsigned i; /* Don't report Cease messages generated by myself */ |