[quagga-dev 14226] [PATCH 87/89] bgpd: Correct a few fuzz failures in BGP

Fri, 11 Dec 2015 16:14:34 -0800 

From: Daniel Walton <[email protected]>

Testing revealed some issues with handling data input.
This patch fixes those issues.

Signed-off-by: Daniel Walton <[email protected]>
---
 bgpd/bgp_attr.c   | 7 ++++---
 bgpd/bgp_packet.c | 9 ++++++---
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 8e857bd..ef2f46a 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -1934,9 +1934,10 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, 
bgp_size_t size,
       if (attr_endp > endp)
        {
          zlog_warn ("%s: BGP type %d length %d is too large, attribute total 
length is %d.  attr_endp is %p.  endp is %p", peer->host, type, length, size, 
attr_endp, endp);
-         bgp_notify_send (peer, 
-                          BGP_NOTIFY_UPDATE_ERR, 
-                          BGP_NOTIFY_UPDATE_ATTR_LENG_ERR);
+          bgp_notify_send_with_data (peer,
+                                     BGP_NOTIFY_UPDATE_ERR,
+                                     BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+                                     startp, attr_endp - startp);
          return BGP_ATTR_PARSE_ERROR;
        }
        
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 0d064e0..304df18 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -1336,11 +1336,13 @@ bgp_open_receive (struct peer *peer, bgp_size_t size)
   int mp_capability;
   u_int8_t notify_data_remote_as[2];
   u_int8_t notify_data_remote_id[4];
+  u_int16_t *holdtime_ptr;
 
   /* Parse open packet. */
   version = stream_getc (peer->ibuf);
   memcpy (notify_data_remote_as, stream_pnt (peer->ibuf), 2);
   remote_as  = stream_getw (peer->ibuf);
+  holdtime_ptr = (u_int16_t *)stream_pnt (peer->ibuf);
   holdtime = stream_getw (peer->ibuf);
   memcpy (notify_data_remote_id, stream_pnt (peer->ibuf), 4);
   remote_id.s_addr = stream_get_ipv4 (peer->ibuf);
@@ -1471,9 +1473,10 @@ bgp_open_receive (struct peer *peer, bgp_size_t size)
 
   if (holdtime < 3 && holdtime != 0)
     {
-      bgp_notify_send (peer,
-                      BGP_NOTIFY_OPEN_ERR, 
-                      BGP_NOTIFY_OPEN_UNACEP_HOLDTIME);
+      bgp_notify_send_with_data (peer,
+                                BGP_NOTIFY_OPEN_ERR,
+                                BGP_NOTIFY_OPEN_UNACEP_HOLDTIME,
+                                 (u_int8_t *)holdtime_ptr, 2);
       return -1;
     }
     
-- 
1.9.1


_______________________________________________
Quagga-dev mailing list
[email protected]
https://lists.quagga.net/mailman/listinfo/quagga-dev

Reply via email to