From 00164d1023b8543121e686d69881fde8ff1da926 Mon Sep 17 00:00:00 2001 From: claudio Date: Fri, 17 Mar 2023 11:14:10 +0000 Subject: [PATCH] Fix rtr_parse_aspa(), the spas array is actually not copied over into the rtr_aspa struct so access them directly from the buf using offset as the address of the first element. OK tb@ --- usr.sbin/bgpd/rtr_proto.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/usr.sbin/bgpd/rtr_proto.c b/usr.sbin/bgpd/rtr_proto.c index 61dfb98bd73..c13d0edff8d 100644 --- a/usr.sbin/bgpd/rtr_proto.c +++ b/usr.sbin/bgpd/rtr_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rtr_proto.c,v 1.14 2023/03/11 10:04:59 claudio Exp $ */ +/* $OpenBSD: rtr_proto.c,v 1.15 2023/03/17 11:14:10 claudio Exp $ */ /* * Copyright (c) 2020 Claudio Jeker @@ -82,7 +82,7 @@ struct rtr_aspa { uint8_t afi_flags; uint16_t cnt; uint32_t cas; - uint32_t spas[0]; + /* array of spas with cnt elements follows */ }; struct rtr_endofdata { @@ -669,7 +669,10 @@ rtr_parse_aspa(struct rtr_session *rs, uint8_t *buf, size_t len) return -1; } for (i = 0; i < cnt; i++) { - aspa->tas[i] = ntohl(rtr_aspa.spas[i]); + uint32_t tas; + memcpy(&tas, buf + offset + i * sizeof(tas), + sizeof(tas)); + aspa->tas[i] = ntohl(tas); aspa->tas_aid[i] = aid; } } -- 2.20.1