From 8388f5a7e14108a1458fea35bfbb5a453e2c563c Mon Sep 17 00:00:00 2001 From: "Ondrej Zajicek (work)" Date: Mon, 9 Sep 2019 03:13:35 +0200 Subject: [PATCH] BGP: Fix bugs in handling of shutdown messages There is an improper check for valid message size, which may lead to stack overflow and buffer leaks to log when a large message is received. Thanks to Daniel McCarney for bugreport and analysis. --- proto/bgp/packets.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c index 2b7ee1d0..4632e4ad 100644 --- a/proto/bgp/packets.c +++ b/proto/bgp/packets.c @@ -2959,7 +2959,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp) return 1; /* Handle proper message */ - if ((msg_len > 255) && (msg_len + 1 > len)) + if (msg_len + 1 > len) return 0; /* Some elementary cleanup */ @@ -2975,7 +2975,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp) void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, uint code, uint subcode, byte *data, uint len) { - byte argbuf[256], *t = argbuf; + byte argbuf[256+16], *t = argbuf; uint i; /* Don't report Cease messages generated by myself */