From a48c3ad520a06455cd53ecf8a67a6b70290f8f52 Mon Sep 17 00:00:00 2001 From: claudio Date: Tue, 25 Jun 2024 13:21:18 +0000 Subject: [PATCH] When filling prefixes with pt_writebuf() keep 2 bytes reserved in the withdraw case. Those bytes are needed for the attribute length field. Without this withdraw messages can become overfull and are dropped without notice. Problem found and fix tested by denis@ OK denis@ tb@ --- usr.sbin/bgpd/rde_prefix.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr.sbin/bgpd/rde_prefix.c b/usr.sbin/bgpd/rde_prefix.c index 07cb8d53b69..a6720b00b18 100644 --- a/usr.sbin/bgpd/rde_prefix.c +++ b/usr.sbin/bgpd/rde_prefix.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde_prefix.c,v 1.50 2023/07/12 14:45:43 claudio Exp $ */ +/* $OpenBSD: rde_prefix.c,v 1.51 2024/06/25 13:21:18 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Claudio Jeker @@ -567,6 +567,9 @@ pt_writebuf(struct ibuf *buf, struct pt_entry *pte, int withdraw, goto fail; } + /* keep 2 bytes reserved in the withdraw case for IPv4 encoding */ + if (withdraw && ibuf_left(buf) < ibuf_size(tmp) + 2) + goto fail; if (ibuf_add_buf(buf, tmp) == -1) goto fail; ibuf_free(tmp); -- 2.20.1