From: Ondrej Zajicek <santiago@crfreenet.org>
Date: Mon, 4 May 2026 23:03:11 +0000 (+0200)
Subject: BMP: Fix off-by-one buffer overflow
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73fb2b345b48641f92f3d9b49b685945d91feda5;p=thirdparty%2Fbird.git

BMP: Fix off-by-one buffer overflow

Config validation checks string length, buffers for system
name/description should have one more byte for null termination.

Thanks to lzx0xf1 for the bugreport.
---

diff --git a/proto/bmp/bmp.h b/proto/bmp/bmp.h
index 52f721225..b1bc38660 100644
--- a/proto/bmp/bmp.h
+++ b/proto/bmp/bmp.h
@@ -68,8 +68,8 @@ struct bmp_proto {
   sock *sk;                        // TCP connection
   event *tx_ev;                    // TX event
   event *update_ev;                // Update event
-  char sys_descr[MIB_II_STR_LEN];  // sysDescr MIB-II [RFC1213] object
-  char sys_name[MIB_II_STR_LEN];   // sysName MIB-II [RFC1213] object
+  char sys_descr[MIB_II_STR_LEN+1];// sysDescr MIB-II [RFC1213] object
+  char sys_name[MIB_II_STR_LEN+1]; // sysName MIB-II [RFC1213] object
   ip_addr local_addr;              // Source local IP address
   ip_addr station_ip;              // Monitoring station IP address
   u16 station_port;                // Monitoring station TCP port
diff --git a/proto/bmp/config.Y b/proto/bmp/config.Y
index 782947150..ed675aafb 100644
--- a/proto/bmp/config.Y
+++ b/proto/bmp/config.Y
@@ -55,14 +55,14 @@ bmp_proto:
  | bmp_proto SYSTEM DESCRIPTION text ';' {
      if (!$4 || (strlen($4) == 0))
        cf_error("String is empty");
-     else if (strlen($4) > 255)
+     else if (strlen($4) > MIB_II_STR_LEN)
        cf_error("Invalid string length");
      BMP_CFG->sys_descr = $4;
    }
  | bmp_proto SYSTEM NAME text ';' {
      if (!$4 || (strlen($4) == 0))
        cf_error("String is empty");
-     else if (strlen($4) > 255)
+     else if (strlen($4) > MIB_II_STR_LEN)
        cf_error("Invalid string length");
      BMP_CFG->sys_name = $4;
    }