Re: bgpctl show_attr bad length fix

Tue, 18 Mar 2014 06:51:00 -0700 

Commited, thanks

On Tue, Mar 18, 2014 at 08:57:40AM +0000, rivo nurges wrote:
> Hi!
> 
> When show_attr reads data length from provided data it reads carbage
> to alen and fails afterwards. This patch fixes the problem by casting
> the data to u_char. While at it I noticed data gets assigned twice.
> 
> 
> bgpctl.c: /* bad imsg len how can that happen!? */
> bgpctl.c: if (alen > len)
> bgpctl.c:   errx(1, "show_attr: bad length");
> 
> It can happen:D
> 
> 
> Example failing prefix with long community list:
> Before:
> BGP routing table entry for 5.44.0.0/20
>     25478 31499 39812
>     Nexthop x.y.z.w (via 10.9.0.10) from x.y.z.w (x.y.z.w)
>     Origin IGP, metric 4200, localpref 60, weight 0, internal, valid, best
>     Last update: 00:12:11 ago
> bgpctl: show_attr: bad length
> 
> After:
> BGP routing table entry for 5.44.0.0/20
>     25478 31499 39812
>     Nexthop x.y.z.w (via 10.9.0.10) from x.y.z.w (x.y.z.w)
>     Origin IGP, metric 4200, localpref 60, weight 0, internal, valid, best
>     Last update: 00:11:13 ago
>     Communities: 0:5429 0:6719 0:8241 0:8636 0:8641 0:24955 0:25478 0:25532
> 0:29000 0:29319 0:30784 0:31225 0:41349 0:41475 0:42511 0:42754 0:43973 
> 0:44020
> 0:44053 0:44281 0:47104 0:47119 0:47321 0:48166 0:48293 0:48297 0:48781 
> 0:49060
> 0:49124 0:50384 0:50448 0:50577 0:50911 0:50952 0:56462 0:57073 0:57363 
> 1299:150
> 3249:10643 3249:11000 3249:11001 3356:90 6854:1009 6854:1509 6854:1605 
> 6854:1665
> 8359:2094 8631:8631 8744:52994 8744:53124 8744:53134 8744:59994 12389:6992
> 12389:7130 12389:7993 12389:8020 12389:8995 25478:10011 25478:10931 
> 25478:24000
> 25478:29000 31133:10008 31133:25002
>     Originator Id: x.y.z.w
>     Cluster ID List: x.y.z.w z.x.y.w
> 
> 
> -- 
> rix
> 
> 
> 
> Index: usr.sbin/bgpctl/bgpctl.c
> ===================================================================
> RCS file: /OpenBSD/src/usr.sbin/bgpctl/bgpctl.c,v
> retrieving revision 1.173
> diff -u -p -r1.173 bgpctl.c
> --- usr.sbin/bgpctl/bgpctl.c  13 Nov 2013 22:52:41 -0000      1.173
> +++ usr.sbin/bgpctl/bgpctl.c  3 Mar 2014 13:21:23 -0000
> @@ -1346,7 +1346,6 @@ show_attr(void *b, u_int16_t len)
>       u_int16_t        alen, ioff;
>       u_int8_t         flags, type;
>  
> -     data = b;
>       if (len < 3)
>               errx(1, "show_attr: too short bgp attr");
>  
> @@ -1362,7 +1361,7 @@ show_attr(void *b, u_int16_t len)
>               data += 4;
>               len -= 4;
>       } else {
> -             alen = data[2];
> +             alen = (u_char)data[2];
>               data += 3;
>               len -= 3;
>       }
> 

-- 
I'm not entirely sure you are real.

Reply via email to