mirror of
https://gitlab.nic.cz/labs/bird.git
synced 2024-12-22 09:41:54 +00:00
BGP: Fix bugs in handling of shutdown messages
There is an improper check for valid message size, which may lead to stack overflow and buffer leaks to log when a large message is received. Thanks to Daniel McCarney for bugreport and analysis.
This commit is contained in:
parent
56d8b1e7f6
commit
8388f5a7e1
@ -2959,7 +2959,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
|
|||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
/* Handle proper message */
|
/* Handle proper message */
|
||||||
if ((msg_len > 255) && (msg_len + 1 > len))
|
if (msg_len + 1 > len)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/* Some elementary cleanup */
|
/* Some elementary cleanup */
|
||||||
@ -2975,7 +2975,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
|
|||||||
void
|
void
|
||||||
bgp_log_error(struct bgp_proto *p, u8 class, char *msg, uint code, uint subcode, byte *data, uint len)
|
bgp_log_error(struct bgp_proto *p, u8 class, char *msg, uint code, uint subcode, byte *data, uint len)
|
||||||
{
|
{
|
||||||
byte argbuf[256], *t = argbuf;
|
byte argbuf[256+16], *t = argbuf;
|
||||||
uint i;
|
uint i;
|
||||||
|
|
||||||
/* Don't report Cease messages generated by myself */
|
/* Don't report Cease messages generated by myself */
|
||||||
|
Loading…
Reference in New Issue
Block a user