So flowspec_get_addr() in the IPv6 case is utterly complicated. Since matching can be done on some sub-part of the prefix. So there is this shift_right() call that moves takes care of this special offset.
Now the shift_right call uses *olen but should actually use xoff instead. *olen is set much later in the code. This should fix: https://github.com/openbgpd-portable/openbgpd-portable/security/code-scanning/2 -- :wq Claudio Index: flowspec.c =================================================================== RCS file: /cvs/src/usr.sbin/bgpd/flowspec.c,v retrieving revision 1.4 diff -u -p -r1.4 flowspec.c --- flowspec.c 19 Apr 2023 09:31:58 -0000 1.4 +++ flowspec.c 23 Oct 2023 10:44:22 -0000 @@ -366,7 +366,7 @@ flowspec_get_addr(const uint8_t *flow, i if (extract_prefix(comp + 2, complen - 2, buf, xlen, sizeof(buf)) == -1) return -1; - shift_right(addr->v6.s6_addr, buf, *olen, xlen); + shift_right(addr->v6.s6_addr, buf, xoff, xlen); *plen = comp[0]; if (olen != NULL) *olen = comp[1];
