Commit 8388f5a7 authored by Ondřej Zajíček's avatar Ondřej Zajíček
Browse files

BGP: Fix bugs in handling of shutdown messages

There is an improper check for valid message size, which may lead to
stack overflow and buffer leaks to log when a large message is received.

Thanks to Daniel McCarney for bugreport and analysis.
parent 56d8b1e7
Pipeline #52335 passed with stages
in 5 minutes and 20 seconds
......@@ -2959,7 +2959,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
return 1;
/* Handle proper message */
if ((msg_len > 255) && (msg_len + 1 > len))
if (msg_len + 1 > len)
return 0;
/* Some elementary cleanup */
......@@ -2975,7 +2975,7 @@ bgp_handle_message(struct bgp_proto *p, byte *data, uint len, byte **bp)
bgp_log_error(struct bgp_proto *p, u8 class, char *msg, uint code, uint subcode, byte *data, uint len)
byte argbuf[256], *t = argbuf;
byte argbuf[256+16], *t = argbuf;
uint i;
/* Don't report Cease messages generated by myself */
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment