CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2023/07/12 06:48:18
Modified files:
usr.sbin/bgpd : Tag: OPENBSD_7_2 kroute.c session.c
Log message:
Check the F_NEXTHOP flag on the right kroute6 object.
On multipath routes the check ended up checking the wrong route for the
nexthop update. This resulted in a use-after-free in kroute_detach_nexthop().
This only affects IPv6 in the IPv4 code path the right object was already used.
Thanks to sthen@ for providing the debug information to track this down.
OK sthen@ tb@
from claudio
In session_process_msg() recheck the validity of the rbuf before moving
the remaining data around.
There is an improbable case where a NOTIFICATION is received while also
reaching the MSG_PROCESS_LIMIT. In this case rbuf is NULL when breaking
out of the for loop and hitting this code.
sthen@ is the (un)lucky person to hit that improbable case
OK tb@ sthen@
from claudio
This is errata/7.2/031_bgpd.patch.sig
