From ba870cab310c151ae8827907c604900ff5cd4d11 Mon Sep 17 00:00:00 2001 From: "Ondrej Zajicek (work)" Date: Mon, 9 Sep 2019 03:48:27 +0200 Subject: [PATCH] BGP: Fix bugs in handling of shutdown messages There is an improper check for valid message size, which may lead to stack overflow and buffer leaks to log when a large message is received. Thanks to Daniel McCarney for bugreport and analysis. --- proto/bgp/packets.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c index 2248b9f9..4d01fe7e 100644 --- a/proto/bgp/packets.c +++ b/proto/bgp/packets.c @@ -1531,7 +1531,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp) return 1; /* Handle proper message */ - if ((msg_len > 128) && (msg_len + 1 > len)) + if (msg_len + 1 > len) return 0; /* Some elementary cleanup */ @@ -1547,7 +1547,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp) void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsigned subcode, byte *data, unsigned len) { - byte argbuf[256], *t = argbuf; + byte argbuf[256+16], *t = argbuf; unsigned i; /* Don't report Cease messages generated by myself */