BGP: Fix bugs in handling of shutdown messages

There is an improper check for valid message size, which may lead to
stack overflow and buffer leaks to log when a large message is received.

Thanks to Daniel McCarney for bugreport and analysis.

diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c
index 2b7ee1d00434756bbe3fc813c653f7aa9ddc04e5..4632e4ade5d919dcbee01a7626d64bbe7387216c 100644 (file)
--- a/proto/bgp/packets.c
+++ b/proto/bgp/packets.c
@@ -2959,7 +2959,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
     return 1;
 
   /* Handle proper message */
-  if ((msg_len > 255) && (msg_len + 1 > len))
+  if (msg_len + 1 > len)
     return 0;
 
   /* Some elementary cleanup */
@@ -2975,7 +2975,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
 void
 bgp_log_error(struct bgp_proto *p, u8 class, char *msg, uint code, uint subcode, byte *data, uint len)
 {
-  byte argbuf[256], *t = argbuf;
+  byte argbuf[256+16], *t = argbuf;
   uint i;
 
   /* Don't report Cease messages generated by myself */