RTR: Reject serial ^ 0x80000000

Eg. if the cache has serial 0x01, and the router requests serial
0x80000001.

0x80000001 was bypassing the sanitizations because, in accordance with
32-bit serial number arithmetic, it's neither greater nor less than
0x01.

This was resulting in Fort returning Cache Response instead of Cache
Reset.

Thanks to 王鑫 for reporting this.

Fixes GHSA-4q3q-6gww-wc52.

diff --git a/src/rtr/db/vrps.c b/src/rtr/db/vrps.c
index f23107d6b3f6cece57f3c53a7a81406d8d3b54b8..cde8afb53e2d4026fe7f2cd8222b3b023c2e41e9 100644 (file)
--- a/src/rtr/db/vrps.c
+++ b/src/rtr/db/vrps.c
@@ -418,6 +418,8 @@ vrps_foreach_delta_since(serial_t from, serial_t *to,
        /* if from > last serial */
        if (serial_lt(state.serial, from))
                goto cache_reset; /* Serial is invalid. */
+       if (from == (state.serial ^ 0x80000000u))
+               goto cache_reset; /* Also invalid */
 
        /*
         * TODO (performance) this implementation is naive.