Fix a printf and change the way data is increased so that at the end of
the function it is not overflowing. In the VPN4 case data is increased by
sizeof(u_int64_t) but later on the data is increased by the full length
which moves the pointer beyond the end. Now this is not really a problem
since data is no longer dereferenced but it is better to fix this
inconsistency.
OK?
--
:wq Claudio
Index: rde.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
retrieving revision 1.397
diff -u -p -r1.397 rde.c
--- rde.c 20 Jul 2018 14:58:20 -0000 1.397
+++ rde.c 21 Jul 2018 08:40:32 -0000
@@ -1222,7 +1222,7 @@ rde_update_dispatch(struct imsg *imsg)
state.aspath.nexthop = NULL;
}
if ((pos = rde_get_mp_nexthop(mpp, mplen, aid, &state)) == -1) {
- log_peer_warnx(&peer->conf, "bad nlri prefix");
+ log_peer_warnx(&peer->conf, "bad nlri nexthop");
rde_update_err(peer, ERR_UPDATE, ERR_UPD_OPTATTR,
mpa.reach, mpa.reach_len);
goto done;
@@ -1815,9 +1815,9 @@ rde_get_mp_nexthop(u_char *data, u_int16
log_warnx("bad multiprotocol nexthop, bad size");
return (-1);
}
- data += sizeof(u_int64_t);
nexthop.aid = AID_INET;
- memcpy(&nexthop.v4, data, sizeof(nexthop.v4));
+ memcpy(&nexthop.v4, data + sizeof(u_int64_t),
+ sizeof(nexthop.v4));
break;
default:
log_warnx("bad multiprotocol nexthop, bad AID");
