mirror of
https://gitlab.nic.cz/labs/bird.git
synced 2025-01-07 01:21:54 +00:00
BGP: Fix bugs in handling of shutdown messages
There is an improper check for valid message size, which may lead to stack overflow and buffer leaks to log when a large message is received. Thanks to Daniel McCarney for bugreport and analysis.
This commit is contained in:
parent
b5d1903bf6
commit
ba870cab31
@ -1531,7 +1531,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
|
|||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
/* Handle proper message */
|
/* Handle proper message */
|
||||||
if ((msg_len > 128) && (msg_len + 1 > len))
|
if (msg_len + 1 > len)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/* Some elementary cleanup */
|
/* Some elementary cleanup */
|
||||||
@ -1547,7 +1547,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
|
|||||||
void
|
void
|
||||||
bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsigned subcode, byte *data, unsigned len)
|
bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsigned subcode, byte *data, unsigned len)
|
||||||
{
|
{
|
||||||
byte argbuf[256], *t = argbuf;
|
byte argbuf[256+16], *t = argbuf;
|
||||||
unsigned i;
|
unsigned i;
|
||||||
|
|
||||||
/* Don't report Cease messages generated by myself */
|
/* Don't report Cease messages generated by myself */
|
||||||
|
Loading…
Reference in New Issue
Block a user