From f3760350bcb7dc879feee5d7bb98879f3e372682 Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 8 Mar 2022 13:02:42 +0000 Subject: [PATCH] Avoid leak of roa in rtr_parse_ipv{4,6}_prefix() If the length checks trigger, roa is leaked. Pull the length checks above the allocation, which makes more sense and avoids additional free(roa). ok claudio --- usr.sbin/bgpd/rtr_proto.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/usr.sbin/bgpd/rtr_proto.c b/usr.sbin/bgpd/rtr_proto.c index d6d49e91222..68bd610ced8 100644 --- a/usr.sbin/bgpd/rtr_proto.c +++ b/usr.sbin/bgpd/rtr_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rtr_proto.c,v 1.5 2022/02/06 09:51:19 claudio Exp $ */ +/* $OpenBSD: rtr_proto.c,v 1.6 2022/03/08 13:02:42 tb Exp $ */ /* * Copyright (c) 2020 Claudio Jeker @@ -442,13 +442,6 @@ rtr_parse_ipv4_prefix(struct rtr_session *rs, uint8_t *buf, size_t len) } memcpy(&ip4, buf + sizeof(struct rtr_header), sizeof(ip4)); - - if ((roa = calloc(1, sizeof(*roa))) == NULL) { - log_warn("rtr %s: received %s", - log_rtr(rs), log_rtr_type(IPV4_PREFIX)); - rtr_send_error(rs, INTERNAL_ERROR, "out of memory", NULL, 0); - return -1; - } if (ip4.prefixlen > 32 || ip4.maxlen > 32 || ip4.prefixlen > ip4.maxlen) { log_warnx("rtr: %s: received %s: bad prefixlen / maxlen", @@ -457,6 +450,13 @@ rtr_parse_ipv4_prefix(struct rtr_session *rs, uint8_t *buf, size_t len) buf, len); return -1; } + + if ((roa = calloc(1, sizeof(*roa))) == NULL) { + log_warn("rtr %s: received %s", + log_rtr(rs), log_rtr_type(IPV4_PREFIX)); + rtr_send_error(rs, INTERNAL_ERROR, "out of memory", NULL, 0); + return -1; + } roa->aid = AID_INET; roa->prefixlen = ip4.prefixlen; roa->maxlen = ip4.maxlen; @@ -511,13 +511,6 @@ rtr_parse_ipv6_prefix(struct rtr_session *rs, uint8_t *buf, size_t len) } memcpy(&ip6, buf + sizeof(struct rtr_header), sizeof(ip6)); - - if ((roa = calloc(1, sizeof(*roa))) == NULL) { - log_warn("rtr %s: received %s", - log_rtr(rs), log_rtr_type(IPV6_PREFIX)); - rtr_send_error(rs, INTERNAL_ERROR, "out of memory", NULL, 0); - return -1; - } if (ip6.prefixlen > 128 || ip6.maxlen > 128 || ip6.prefixlen > ip6.maxlen) { log_warnx("rtr: %s: received %s: bad prefixlen / maxlen", @@ -526,6 +519,13 @@ rtr_parse_ipv6_prefix(struct rtr_session *rs, uint8_t *buf, size_t len) buf, len); return -1; } + + if ((roa = calloc(1, sizeof(*roa))) == NULL) { + log_warn("rtr %s: received %s", + log_rtr(rs), log_rtr_type(IPV6_PREFIX)); + rtr_send_error(rs, INTERNAL_ERROR, "out of memory", NULL, 0); + return -1; + } roa->aid = AID_INET6; roa->prefixlen = ip6.prefixlen; roa->maxlen = ip6.maxlen; -- 2.20.1