From: claudio Date: Tue, 19 Jul 2022 13:03:09 +0000 (+0000) Subject: Do a minimal check that the passed in option is inside the ASPATH segment. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=506f72cff90310352286a73785354ec0d765d7b7;p=openbsd Do a minimal check that the passed in option is inside the ASPATH segment. Check both for negative pos and for pos bigger or equal to the segment length With and OK tb@ --- diff --git a/usr.sbin/bgpd/util.c b/usr.sbin/bgpd/util.c index b4bdd5c2fe9..30aef0a83d0 100644 --- a/usr.sbin/bgpd/util.c +++ b/usr.sbin/bgpd/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.69 2022/06/28 05:49:05 tb Exp $ */ +/* $OpenBSD: util.c,v 1.70 2022/07/19 13:03:09 claudio Exp $ */ /* * Copyright (c) 2006 Claudio Jeker @@ -364,7 +364,7 @@ aspath_strlen(void *data, uint16_t len) /* * Extract the asnum out of the as segment at the specified position. * Direct access is not possible because of non-aligned reads. - * ATTENTION: no bounds checks are done. + * Only works on verified 4-byte AS paths. */ uint32_t aspath_extract(const void *seg, int pos) @@ -372,6 +372,9 @@ aspath_extract(const void *seg, int pos) const u_char *ptr = seg; uint32_t as; + /* minimal pos check, return 0 since that is an invalid ASN */ + if (pos < 0 || pos >= ptr[1]) + return (0); ptr += 2 + sizeof(uint32_t) * pos; memcpy(&as, ptr, sizeof(uint32_t)); return (ntohl(as));