From: claudio <claudio@openbsd.org>
Date: Thu, 25 May 2023 14:20:25 +0000 (+0000)
Subject: In session_process_msg() recheck the validity of the rbuf before moving
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=7515d867e80ac38daab3c4c8a25d13cf8a3033c6;p=openbsd

In session_process_msg() recheck the validity of the rbuf before moving
the remaining data around.

There is an improbable case where a NOTIFICATION is received while also
reaching the MSG_PROCESS_LIMIT. In this case rbuf is NULL when breaking
out of the for loop and hitting this code.

sthen@ is the (un)lucky person to hit that improbable case
OK tb@ sthen@
---

diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c
index c8debdb4d15..543b6bfedab 100644
--- a/usr.sbin/bgpd/session.c
+++ b/usr.sbin/bgpd/session.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: session.c,v 1.444 2023/05/05 07:28:08 claudio Exp $ */
+/*	$OpenBSD: session.c,v 1.445 2023/05/25 14:20:25 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org>
@@ -1998,6 +1998,8 @@ session_process_msg(struct peer *p)
 		}
 	}
 
+	if (p->rbuf == NULL)
+		return;
 	if (rpos < av) {
 		left = av - rpos;
 		memmove(&p->rbuf->buf, p->rbuf->buf + rpos, left);