From: claudio Date: Thu, 20 Sep 2018 07:37:06 +0000 (+0000) Subject: Fix an out of bound read that could crash the RDE because it touched X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=51491708bc8d00833c10032fdf9c61bedb3022ea;p=openbsd Fix an out of bound read that could crash the RDE because it touched unallocated memory while looking for AS 0. Found by and debugged with Aaron A. Glenn. Thanks a lot. --- diff --git a/usr.sbin/bgpd/util.c b/usr.sbin/bgpd/util.c index 882214dceda..0c01b54e2b7 100644 --- a/usr.sbin/bgpd/util.c +++ b/usr.sbin/bgpd/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.35 2018/09/14 10:22:11 claudio Exp $ */ +/* $OpenBSD: util.c,v 1.36 2018/09/20 07:37:06 claudio Exp $ */ /* * Copyright (c) 2006 Claudio Jeker @@ -451,7 +451,7 @@ aspath_verify(void *data, u_int16_t len, int as4byte) as_size = 4; for (; len > 0; len -= seg_size, seg += seg_size) { - const u_char *ptr; + const u_int8_t *ptr; int pos; if (len < 2) /* header length check */ @@ -482,12 +482,12 @@ aspath_verify(void *data, u_int16_t len, int as4byte) /* RFC 7607 - AS 0 is considered malformed */ ptr = seg + 2; for (pos = 0; pos < seg_len; pos++) { - u_int32_t as = 0; + u_int32_t as; - ptr += as_size; memcpy(&as, ptr, as_size); if (as == 0) error = AS_ERR_SOFT; + ptr += as_size; } } return (error); /* aspath is valid but probably not loop free */