From: claudio Date: Tue, 25 Jun 2024 13:21:18 +0000 (+0000) Subject: When filling prefixes with pt_writebuf() keep 2 bytes reserved in the X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=a48c3ad520a06455cd53ecf8a67a6b70290f8f52;p=openbsd When filling prefixes with pt_writebuf() keep 2 bytes reserved in the withdraw case. Those bytes are needed for the attribute length field. Without this withdraw messages can become overfull and are dropped without notice. Problem found and fix tested by denis@ OK denis@ tb@ --- diff --git a/usr.sbin/bgpd/rde_prefix.c b/usr.sbin/bgpd/rde_prefix.c index 07cb8d53b69..a6720b00b18 100644 --- a/usr.sbin/bgpd/rde_prefix.c +++ b/usr.sbin/bgpd/rde_prefix.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde_prefix.c,v 1.50 2023/07/12 14:45:43 claudio Exp $ */ +/* $OpenBSD: rde_prefix.c,v 1.51 2024/06/25 13:21:18 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Claudio Jeker @@ -567,6 +567,9 @@ pt_writebuf(struct ibuf *buf, struct pt_entry *pte, int withdraw, goto fail; } + /* keep 2 bytes reserved in the withdraw case for IPv4 encoding */ + if (withdraw && ibuf_left(buf) < ibuf_size(tmp) + 2) + goto fail; if (ibuf_add_buf(buf, tmp) == -1) goto fail; ibuf_free(tmp);