Commit 1657c41c authored by Ondrej Zajicek (work)'s avatar Ondrej Zajicek (work)
Browse files

BGP: Fix bugs in handling of shutdown messages 

There is an improper check for valid message size, which may lead to
stack overflow and buffer leaks to log when a large message is received.

Thanks to Daniel McCarney for bugreport and analysis.
parent 7300d79b

proto/bgp/packets.c

+2 −2
Original line number Diff line number Diff line
@@ -1539,7 +1539,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp) 
    return 1;



  /* Handle proper message */

  if ((msg_len > 255) && (msg_len + 1 > len))

  if (msg_len + 1 > len)

    return 0;



  /* Some elementary cleanup */
@@ -1555,7 +1555,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp) 
void

bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsigned subcode, byte *data, unsigned len)

{

  byte argbuf[256], *t = argbuf;

  byte argbuf[256+16], *t = argbuf;

  unsigned i;



  /* Don't report Cease messages generated by myself */

CRA Git | Maintained and supported by SUSTech CRA and CCSE