From: Ondrej Zajicek (work) <santiago@crfreenet.org>
Date: Mon, 9 Sep 2019 01:13:35 +0000 (+0200)
Subject: BGP: Fix bugs in handling of shutdown messages
X-Git-Tag: v2.0.6~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8388f5a7e14108a1458fea35bfbb5a453e2c563c;p=thirdparty%2Fbird.git

BGP: Fix bugs in handling of shutdown messages

There is an improper check for valid message size, which may lead to
stack overflow and buffer leaks to log when a large message is received.

Thanks to Daniel McCarney for bugreport and analysis.
---

diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c
index 2b7ee1d00..4632e4ade 100644
--- a/proto/bgp/packets.c
+++ b/proto/bgp/packets.c
@@ -2959,7 +2959,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
     return 1;
 
   /* Handle proper message */
-  if ((msg_len > 255) && (msg_len + 1 > len))
+  if (msg_len + 1 > len)
     return 0;
 
   /* Some elementary cleanup */
@@ -2975,7 +2975,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
 void
 bgp_log_error(struct bgp_proto *p, u8 class, char *msg, uint code, uint subcode, byte *data, uint len)
 {
-  byte argbuf[256], *t = argbuf;
+  byte argbuf[256+16], *t = argbuf;
   uint i;
 
   /* Don't report Cease messages generated by myself */