From 51491708bc8d00833c10032fdf9c61bedb3022ea Mon Sep 17 00:00:00 2001 From: claudio Date: Thu, 20 Sep 2018 07:37:06 +0000 Subject: [PATCH] Fix an out of bound read that could crash the RDE because it touched unallocated memory while looking for AS 0. Found by and debugged with Aaron A. Glenn. Thanks a lot. --- usr.sbin/bgpd/util.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr.sbin/bgpd/util.c b/usr.sbin/bgpd/util.c index 882214dceda..0c01b54e2b7 100644 --- a/usr.sbin/bgpd/util.c +++ b/usr.sbin/bgpd/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.35 2018/09/14 10:22:11 claudio Exp $ */ +/* $OpenBSD: util.c,v 1.36 2018/09/20 07:37:06 claudio Exp $ */ /* * Copyright (c) 2006 Claudio Jeker @@ -451,7 +451,7 @@ aspath_verify(void *data, u_int16_t len, int as4byte) as_size = 4; for (; len > 0; len -= seg_size, seg += seg_size) { - const u_char *ptr; + const u_int8_t *ptr; int pos; if (len < 2) /* header length check */ @@ -482,12 +482,12 @@ aspath_verify(void *data, u_int16_t len, int as4byte) /* RFC 7607 - AS 0 is considered malformed */ ptr = seg + 2; for (pos = 0; pos < seg_len; pos++) { - u_int32_t as = 0; + u_int32_t as; - ptr += as_size; memcpy(&as, ptr, as_size); if (as == 0) error = AS_ERR_SOFT; + ptr += as_size; } } return (error); /* aspath is valid but probably not loop free */ -- 2.20.1