From: Alberto Leiva Popper <ydahhrk@gmail.com>
Date: Tue, 23 Jun 2026 16:56:35 +0000 (-0600)
Subject: RTR: Reject serial ^ 0x80000000
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f0116529f0d9af10efe1baccccd6eb81bdc819a1;p=thirdparty%2FFORT-validator.git

RTR: Reject serial ^ 0x80000000

Eg. if the cache has serial 0x01, and the router requests serial
0x80000001.

0x80000001 was bypassing the sanitizations because, in accordance with
32-bit serial number arithmetic, it's neither greater nor less than
0x01.

This was resulting in Fort returning Cache Response instead of Cache
Reset.

Thanks to 王鑫 for reporting this.

Fixes GHSA-4q3q-6gww-wc52.
---

diff --git a/src/rtr/db/vrps.c b/src/rtr/db/vrps.c
index f23107d6..cde8afb5 100644
--- a/src/rtr/db/vrps.c
+++ b/src/rtr/db/vrps.c
@@ -418,6 +418,8 @@ vrps_foreach_delta_since(serial_t from, serial_t *to,
 	/* if from > last serial */
 	if (serial_lt(state.serial, from))
 		goto cache_reset; /* Serial is invalid. */
+	if (from == (state.serial ^ 0x80000000u))
+		goto cache_reset; /* Also invalid */
 
 	/*
 	 * TODO (performance) this implementation is naive.