Fixes a buffer overflow in TX code of IPv6 BGP.

diff --git a/nest/rt-table.c b/nest/rt-table.c
index b5256945fcb015e2f230962d9825b0ee4fdf6086..f40cc806ac76d27548888c90dd34dc78ae8650de 100644 (file)
--- a/nest/rt-table.c
+++ b/nest/rt-table.c
@@ -354,7 +354,7 @@ rte_validate(rte *e)
   int c;
   net *n = e->net;
 
-  if (ipa_nonzero(ipa_and(n->n.prefix, ipa_not(ipa_mkmask(n->n.pxlen)))))
+  if ((n->n.pxlen > BITS_PER_IP_ADDRESS) || !ip_is_prefix(n->n.prefix,n->n.pxlen))
     {
       log(L_BUG "Ignoring bogus prefix %I/%d received via %s",
          n->n.prefix, n->n.pxlen, e->sender->name);

diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c
index 6e230226ff93f03f2b67582b0f34012f9a43991b..ba43cd283b9559e60f2f0bf643ade84b17764906 100644 (file)
--- a/proto/bgp/packets.c
+++ b/proto/bgp/packets.c
@@ -219,7 +219,7 @@ bgp_encode_prefixes(struct bgp_proto *p, byte *w, struct bgp_bucket *buck, unsig
   ip_addr a;
   int bytes;
 
-  while (!EMPTY_LIST(buck->prefixes) && remains >= 5)
+  while (!EMPTY_LIST(buck->prefixes) && remains >= (1+sizeof(ip_addr)))
     {
       struct bgp_prefix *px = SKIP_BACK(struct bgp_prefix, bucket_node, HEAD(buck->prefixes));
       DBG("\tDequeued route %I/%d\n", px->n.prefix, px->n.pxlen);