From 7515d867e80ac38daab3c4c8a25d13cf8a3033c6 Mon Sep 17 00:00:00 2001 From: claudio Date: Thu, 25 May 2023 14:20:25 +0000 Subject: [PATCH] In session_process_msg() recheck the validity of the rbuf before moving the remaining data around. There is an improbable case where a NOTIFICATION is received while also reaching the MSG_PROCESS_LIMIT. In this case rbuf is NULL when breaking out of the for loop and hitting this code. sthen@ is the (un)lucky person to hit that improbable case OK tb@ sthen@ --- usr.sbin/bgpd/session.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index c8debdb4d15..543b6bfedab 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.444 2023/05/05 07:28:08 claudio Exp $ */ +/* $OpenBSD: session.c,v 1.445 2023/05/25 14:20:25 claudio Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer @@ -1998,6 +1998,8 @@ session_process_msg(struct peer *p) } } + if (p->rbuf == NULL) + return; if (rpos < av) { left = av - rpos; memmove(&p->rbuf->buf, p->rbuf->buf + rpos, left); -- 2.20.1