diff options
| author |   claudio <claudio@openbsd.org> | 2018-09-20 07:37:06 +0000 |
|---|---|---|
| committer | claudio <claudio@openbsd.org> | 2018-09-20 07:37:06 +0000 |
| commit | 51491708bc8d00833c10032fdf9c61bedb3022ea (patch) | |
| tree | 6a701443bdc904c8da17ef1c18f259f55542117f | |
| parent | reorder CASignatureAlgorithms, and add them to the various -o lists; (diff) | |
| download | wireguard-openbsd-51491708bc8d00833c10032fdf9c61bedb3022ea.tar.xz wireguard-openbsd-51491708bc8d00833c10032fdf9c61bedb3022ea.zip | |
Fix an out of bound read that could crash the RDE because it touched
unallocated memory while looking for AS 0.
Found by and debugged with Aaron A. Glenn. Thanks a lot.
| -rw-r--r-- | usr.sbin/bgpd/util.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/usr.sbin/bgpd/util.c b/usr.sbin/bgpd/util.c index 882214dceda..0c01b54e2b7 100644 --- a/usr.sbin/bgpd/util.c +++ b/usr.sbin/bgpd/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.35 2018/09/14 10:22:11 claudio Exp $ */ +/* $OpenBSD: util.c,v 1.36 2018/09/20 07:37:06 claudio Exp $ */ /* * Copyright (c) 2006 Claudio Jeker <claudio@openbsd.org> @@ -451,7 +451,7 @@ aspath_verify(void *data, u_int16_t len, int as4byte) as_size = 4; for (; len > 0; len -= seg_size, seg += seg_size) { - const u_char *ptr; + const u_int8_t *ptr; int pos; if (len < 2) /* header length check */ @@ -482,12 +482,12 @@ aspath_verify(void *data, u_int16_t len, int as4byte) /* RFC 7607 - AS 0 is considered malformed */ ptr = seg + 2; for (pos = 0; pos < seg_len; pos++) { - u_int32_t as = 0; + u_int32_t as; - ptr += as_size; memcpy(&as, ptr, as_size); if (as == 0) error = AS_ERR_SOFT; + ptr += as_size; } } return (error); /* aspath is valid but probably not loop free */ |