In session_process_msg() recheck the validity of the rbuf before moving

the remaining data around.

There is an improbable case where a NOTIFICATION is received while also
reaching the MSG_PROCESS_LIMIT. In this case rbuf is NULL when breaking
out of the for loop and hitting this code.

sthen@ is the (un)lucky person to hit that improbable case
OK tb@ sthen@

diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c
index c8debdb..543b6bf 100644 (file)
--- a/usr.sbin/bgpd/session.c
+++ b/usr.sbin/bgpd/session.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: session.c,v 1.444 2023/05/05 07:28:08 claudio Exp $ */
+/*     $OpenBSD: session.c,v 1.445 2023/05/25 14:20:25 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org>
@@ -1998,6 +1998,8 @@ session_process_msg(struct peer *p)
                }
        }
 
+       if (p->rbuf == NULL)
+               return;
        if (rpos < av) {
                left = av - rpos;
                memmove(&p->rbuf->buf, p->rbuf->buf + rpos, left);