The NET_RT_IFLIST sysctl returns RTM_IFINFO and RTM_NEWADDR messages in

the buffer. While RTM_IFINFO starts with a struct if_msghdr RTM_NEWADDR
does not. In other words (struct sockaddr *)(next + sizeof(ifm)) is only
correct for RTM_IFINFO and not for RTM_NEWADDR. So move the ifm_type check
up else get_rtaddrs() would access memory outside of buf.
OK henning@

1 files changed, 4 insertions, 4 deletions

diff --git a/usr.sbin/bgpd/kroute.c b/usr.sbin/bgpd/kroute.c
index 9d29078bcdc..0037414f2ac 100644
--- a/usr.sbin/bgpd/kroute.c
+++ b/usr.sbin/bgpd/kroute.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kroute.c,v 1.125 2005/04/28 13:54:45 claudio Exp $ */
+/*	$OpenBSD: kroute.c,v 1.126 2005/05/13 08:34:33 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -1378,12 +1378,12 @@ fetchifs(int ifindex)
 	lim = buf + len;
 	for (next = buf; next < lim; next += ifm.ifm_msglen) {
 		memcpy(&ifm, next, sizeof(ifm));
-		sa = (struct sockaddr *)(next + sizeof(ifm));
-		get_rtaddrs(ifm.ifm_addrs, sa, rti_info);
-
 		if (ifm.ifm_type != RTM_IFINFO)
 			continue;
 
+		sa = (struct sockaddr *)(next + sizeof(ifm));
+		get_rtaddrs(ifm.ifm_addrs, sa, rti_info);
+
 		if ((kif = calloc(1, sizeof(struct kif_node))) == NULL) {
 			log_warn("fetchifs");
 			free(buf);