On Sat, Jul 21, 2018 at 10:46:00PM +0200, Claudio Jeker wrote:
> Fix a printf and change the way data is increased so that at the end of
> the function it is not overflowing. In the VPN4 case data is increased by
> sizeof(u_int64_t) but later on the data is increased by the full length
> which moves the pointer beyond the end. Now this is not really a problem
> since data is no longer dereferenced but it is better to fix this
> inconsistency.
>
> OK?
ok tb
> --
> :wq Claudio
>
> Index: rde.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
> retrieving revision 1.397
> diff -u -p -r1.397 rde.c
> --- rde.c 20 Jul 2018 14:58:20 -0000 1.397
> +++ rde.c 21 Jul 2018 08:40:32 -0000
> @@ -1222,7 +1222,7 @@ rde_update_dispatch(struct imsg *imsg)
> state.aspath.nexthop = NULL;
> }
> if ((pos = rde_get_mp_nexthop(mpp, mplen, aid, &state)) == -1) {
> - log_peer_warnx(&peer->conf, "bad nlri prefix");
> + log_peer_warnx(&peer->conf, "bad nlri nexthop");
> rde_update_err(peer, ERR_UPDATE, ERR_UPD_OPTATTR,
> mpa.reach, mpa.reach_len);
> goto done;
> @@ -1815,9 +1815,9 @@ rde_get_mp_nexthop(u_char *data, u_int16
> log_warnx("bad multiprotocol nexthop, bad size");
> return (-1);
> }
> - data += sizeof(u_int64_t);
> nexthop.aid = AID_INET;
> - memcpy(&nexthop.v4, data, sizeof(nexthop.v4));
> + memcpy(&nexthop.v4, data + sizeof(u_int64_t),
> + sizeof(nexthop.v4));
> break;
> default:
> log_warnx("bad multiprotocol nexthop, bad AID");
>
