BGP: Fix bugs in handling of shutdown messages

There is an improper check for valid message size, which may lead to
stack overflow and buffer leaks to log when a large message is received.

Thanks to Daniel McCarney for bugreport and analysis.

diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c
index 1f93cf562d154eacbd61dad511e1d3f269f0ce1f..eee47deab029235c94d682f7ea0ec461f7d782a9 100644 (file)
--- a/proto/bgp/packets.c
+++ b/proto/bgp/packets.c
@@ -1539,7 +1539,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
     return 1;
 
   /* Handle proper message */
-  if ((msg_len > 255) && (msg_len + 1 > len))
+  if (msg_len + 1 > len)
     return 0;
 
   /* Some elementary cleanup */
@@ -1555,7 +1555,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
 void
 bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsigned subcode, byte *data, unsigned len)
 {
-  byte argbuf[256], *t = argbuf;
+  byte argbuf[256+16], *t = argbuf;
   unsigned i;
 
   /* Don't report Cease messages generated by myself */