bgpctl show_attr bad length fix
Hi!
When show_attr reads data length from provided data it reads carbage
to alen and fails afterwards. This patch fixes the problem by casting
the data to u_char. While at it I noticed data gets assigned twice.
bgpctl.c: /* bad imsg len how can that happen!? */
bgpctl.c: if (alen len)
bgpctl.c: errx(1, show_attr: bad length);
It can happen:D
Example failing prefix with long community list:
Before:
BGP routing table entry for 5.44.0.0/20
25478 31499 39812
Nexthop x.y.z.w (via 10.9.0.10) from x.y.z.w (x.y.z.w)
Origin IGP, metric 4200, localpref 60, weight 0, internal, valid, best
Last update: 00:12:11 ago
bgpctl: show_attr: bad length
After:
BGP routing table entry for 5.44.0.0/20
25478 31499 39812
Nexthop x.y.z.w (via 10.9.0.10) from x.y.z.w (x.y.z.w)
Origin IGP, metric 4200, localpref 60, weight 0, internal, valid, best
Last update: 00:11:13 ago
Communities: 0:5429 0:6719 0:8241 0:8636 0:8641 0:24955 0:25478 0:25532
0:29000 0:29319 0:30784 0:31225 0:41349 0:41475 0:42511 0:42754 0:43973 0:44020
0:44053 0:44281 0:47104 0:47119 0:47321 0:48166 0:48293 0:48297 0:48781 0:49060
0:49124 0:50384 0:50448 0:50577 0:50911 0:50952 0:56462 0:57073 0:57363 1299:150
3249:10643 3249:11000 3249:11001 3356:90 6854:1009 6854:1509 6854:1605 6854:1665
8359:2094 8631:8631 8744:52994 8744:53124 8744:53134 8744:59994 12389:6992
12389:7130 12389:7993 12389:8020 12389:8995 25478:10011 25478:10931 25478:24000
25478:29000 31133:10008 31133:25002
Originator Id: x.y.z.w
Cluster ID List: x.y.z.w z.x.y.w
--
rix
Index: usr.sbin/bgpctl/bgpctl.c
===
RCS file: /OpenBSD/src/usr.sbin/bgpctl/bgpctl.c,v
retrieving revision 1.173
diff -u -p -r1.173 bgpctl.c
--- usr.sbin/bgpctl/bgpctl.c13 Nov 2013 22:52:41 - 1.173
+++ usr.sbin/bgpctl/bgpctl.c3 Mar 2014 13:21:23 -
@@ -1346,7 +1346,6 @@ show_attr(void *b, u_int16_t len)
u_int16_talen, ioff;
u_int8_t flags, type;
- data = b;
if (len 3)
errx(1, show_attr: too short bgp attr);
@@ -1362,7 +1361,7 @@ show_attr(void *b, u_int16_t len)
data += 4;
len -= 4;
} else {
- alen = data[2];
+ alen = (u_char)data[2];
data += 3;
len -= 3;
}
Re: bgpctl show_attr bad length fix
On 2014/03/18 08:57, rivo nurges wrote:
Hi!
When show_attr reads data length from provided data it reads carbage
to alen and fails afterwards. This patch fixes the problem by casting
the data to u_char. While at it I noticed data gets assigned twice.
bgpctl.c: /* bad imsg len how can that happen!? */
bgpctl.c: if (alen len)
bgpctl.c: errx(1, show_attr: bad length);
It can happen:D
Example failing prefix with long community list:
Before:
BGP routing table entry for 5.44.0.0/20
25478 31499 39812
Nexthop x.y.z.w (via 10.9.0.10) from x.y.z.w (x.y.z.w)
Origin IGP, metric 4200, localpref 60, weight 0, internal, valid, best
Last update: 00:12:11 ago
bgpctl: show_attr: bad length
Haven't found any in my route views yet, though I only got part-way
through when I realised quite how much cpu time session engine was
burning doing a sh rib d (hundreds of clock_gettime a second)
and stopped as I worried about it not maintaining sessions and
tripping idle timers.
Index: usr.sbin/bgpctl/bgpctl.c
===
RCS file: /OpenBSD/src/usr.sbin/bgpctl/bgpctl.c,v
retrieving revision 1.173
diff -u -p -r1.173 bgpctl.c
--- usr.sbin/bgpctl/bgpctl.c 13 Nov 2013 22:52:41 - 1.173
+++ usr.sbin/bgpctl/bgpctl.c 3 Mar 2014 13:21:23 -
@@ -1346,7 +1346,6 @@ show_attr(void *b, u_int16_t len)
u_int16_talen, ioff;
u_int8_t flags, type;
- data = b;
if (len 3)
errx(1, show_attr: too short bgp attr);
@@ -1362,7 +1361,7 @@ show_attr(void *b, u_int16_t len)
data += 4;
len -= 4;
} else {
- alen = data[2];
+ alen = (u_char)data[2];
data += 3;
len -= 3;
}
This is OK sthen@
Re: bgpctl show_attr bad length fix
Commited, thanks
On Tue, Mar 18, 2014 at 08:57:40AM +, rivo nurges wrote:
Hi!
When show_attr reads data length from provided data it reads carbage
to alen and fails afterwards. This patch fixes the problem by casting
the data to u_char. While at it I noticed data gets assigned twice.
bgpctl.c: /* bad imsg len how can that happen!? */
bgpctl.c: if (alen len)
bgpctl.c: errx(1, show_attr: bad length);
It can happen:D
Example failing prefix with long community list:
Before:
BGP routing table entry for 5.44.0.0/20
25478 31499 39812
Nexthop x.y.z.w (via 10.9.0.10) from x.y.z.w (x.y.z.w)
Origin IGP, metric 4200, localpref 60, weight 0, internal, valid, best
Last update: 00:12:11 ago
bgpctl: show_attr: bad length
After:
BGP routing table entry for 5.44.0.0/20
25478 31499 39812
Nexthop x.y.z.w (via 10.9.0.10) from x.y.z.w (x.y.z.w)
Origin IGP, metric 4200, localpref 60, weight 0, internal, valid, best
Last update: 00:11:13 ago
Communities: 0:5429 0:6719 0:8241 0:8636 0:8641 0:24955 0:25478 0:25532
0:29000 0:29319 0:30784 0:31225 0:41349 0:41475 0:42511 0:42754 0:43973
0:44020
0:44053 0:44281 0:47104 0:47119 0:47321 0:48166 0:48293 0:48297 0:48781
0:49060
0:49124 0:50384 0:50448 0:50577 0:50911 0:50952 0:56462 0:57073 0:57363
1299:150
3249:10643 3249:11000 3249:11001 3356:90 6854:1009 6854:1509 6854:1605
6854:1665
8359:2094 8631:8631 8744:52994 8744:53124 8744:53134 8744:59994 12389:6992
12389:7130 12389:7993 12389:8020 12389:8995 25478:10011 25478:10931
25478:24000
25478:29000 31133:10008 31133:25002
Originator Id: x.y.z.w
Cluster ID List: x.y.z.w z.x.y.w
--
rix
Index: usr.sbin/bgpctl/bgpctl.c
===
RCS file: /OpenBSD/src/usr.sbin/bgpctl/bgpctl.c,v
retrieving revision 1.173
diff -u -p -r1.173 bgpctl.c
--- usr.sbin/bgpctl/bgpctl.c 13 Nov 2013 22:52:41 - 1.173
+++ usr.sbin/bgpctl/bgpctl.c 3 Mar 2014 13:21:23 -
@@ -1346,7 +1346,6 @@ show_attr(void *b, u_int16_t len)
u_int16_talen, ioff;
u_int8_t flags, type;
- data = b;
if (len 3)
errx(1, show_attr: too short bgp attr);
@@ -1362,7 +1361,7 @@ show_attr(void *b, u_int16_t len)
data += 4;
len -= 4;
} else {
- alen = data[2];
+ alen = (u_char)data[2];
data += 3;
len -= 3;
}
--
I'm not entirely sure you are real.
