bgpctl show_attr bad length fix
Hi! When show_attr reads data length from provided data it reads carbage to alen and fails afterwards. This patch fixes the problem by casting the data to u_char. While at it I noticed data gets assigned twice. bgpctl.c: /* bad imsg len how can that happen!? */ bgpctl.c: if (alen len) bgpctl.c: errx(1, show_attr: bad length); It can happen:D Example failing prefix with long community list: Before: BGP routing table entry for 5.44.0.0/20 25478 31499 39812 Nexthop x.y.z.w (via 10.9.0.10) from x.y.z.w (x.y.z.w) Origin IGP, metric 4200, localpref 60, weight 0, internal, valid, best Last update: 00:12:11 ago bgpctl: show_attr: bad length After: BGP routing table entry for 5.44.0.0/20 25478 31499 39812 Nexthop x.y.z.w (via 10.9.0.10) from x.y.z.w (x.y.z.w) Origin IGP, metric 4200, localpref 60, weight 0, internal, valid, best Last update: 00:11:13 ago Communities: 0:5429 0:6719 0:8241 0:8636 0:8641 0:24955 0:25478 0:25532 0:29000 0:29319 0:30784 0:31225 0:41349 0:41475 0:42511 0:42754 0:43973 0:44020 0:44053 0:44281 0:47104 0:47119 0:47321 0:48166 0:48293 0:48297 0:48781 0:49060 0:49124 0:50384 0:50448 0:50577 0:50911 0:50952 0:56462 0:57073 0:57363 1299:150 3249:10643 3249:11000 3249:11001 3356:90 6854:1009 6854:1509 6854:1605 6854:1665 8359:2094 8631:8631 8744:52994 8744:53124 8744:53134 8744:59994 12389:6992 12389:7130 12389:7993 12389:8020 12389:8995 25478:10011 25478:10931 25478:24000 25478:29000 31133:10008 31133:25002 Originator Id: x.y.z.w Cluster ID List: x.y.z.w z.x.y.w -- rix Index: usr.sbin/bgpctl/bgpctl.c === RCS file: /OpenBSD/src/usr.sbin/bgpctl/bgpctl.c,v retrieving revision 1.173 diff -u -p -r1.173 bgpctl.c --- usr.sbin/bgpctl/bgpctl.c13 Nov 2013 22:52:41 - 1.173 +++ usr.sbin/bgpctl/bgpctl.c3 Mar 2014 13:21:23 - @@ -1346,7 +1346,6 @@ show_attr(void *b, u_int16_t len) u_int16_talen, ioff; u_int8_t flags, type; - data = b; if (len 3) errx(1, show_attr: too short bgp attr); @@ -1362,7 +1361,7 @@ show_attr(void *b, u_int16_t len) data += 4; len -= 4; } else { - alen = data[2]; + alen = (u_char)data[2]; data += 3; len -= 3; }
Re: bgpctl show_attr bad length fix
On 2014/03/18 08:57, rivo nurges wrote: Hi! When show_attr reads data length from provided data it reads carbage to alen and fails afterwards. This patch fixes the problem by casting the data to u_char. While at it I noticed data gets assigned twice. bgpctl.c: /* bad imsg len how can that happen!? */ bgpctl.c: if (alen len) bgpctl.c: errx(1, show_attr: bad length); It can happen:D Example failing prefix with long community list: Before: BGP routing table entry for 5.44.0.0/20 25478 31499 39812 Nexthop x.y.z.w (via 10.9.0.10) from x.y.z.w (x.y.z.w) Origin IGP, metric 4200, localpref 60, weight 0, internal, valid, best Last update: 00:12:11 ago bgpctl: show_attr: bad length Haven't found any in my route views yet, though I only got part-way through when I realised quite how much cpu time session engine was burning doing a sh rib d (hundreds of clock_gettime a second) and stopped as I worried about it not maintaining sessions and tripping idle timers. Index: usr.sbin/bgpctl/bgpctl.c === RCS file: /OpenBSD/src/usr.sbin/bgpctl/bgpctl.c,v retrieving revision 1.173 diff -u -p -r1.173 bgpctl.c --- usr.sbin/bgpctl/bgpctl.c 13 Nov 2013 22:52:41 - 1.173 +++ usr.sbin/bgpctl/bgpctl.c 3 Mar 2014 13:21:23 - @@ -1346,7 +1346,6 @@ show_attr(void *b, u_int16_t len) u_int16_talen, ioff; u_int8_t flags, type; - data = b; if (len 3) errx(1, show_attr: too short bgp attr); @@ -1362,7 +1361,7 @@ show_attr(void *b, u_int16_t len) data += 4; len -= 4; } else { - alen = data[2]; + alen = (u_char)data[2]; data += 3; len -= 3; } This is OK sthen@
Re: bgpctl show_attr bad length fix
Commited, thanks On Tue, Mar 18, 2014 at 08:57:40AM +, rivo nurges wrote: Hi! When show_attr reads data length from provided data it reads carbage to alen and fails afterwards. This patch fixes the problem by casting the data to u_char. While at it I noticed data gets assigned twice. bgpctl.c: /* bad imsg len how can that happen!? */ bgpctl.c: if (alen len) bgpctl.c: errx(1, show_attr: bad length); It can happen:D Example failing prefix with long community list: Before: BGP routing table entry for 5.44.0.0/20 25478 31499 39812 Nexthop x.y.z.w (via 10.9.0.10) from x.y.z.w (x.y.z.w) Origin IGP, metric 4200, localpref 60, weight 0, internal, valid, best Last update: 00:12:11 ago bgpctl: show_attr: bad length After: BGP routing table entry for 5.44.0.0/20 25478 31499 39812 Nexthop x.y.z.w (via 10.9.0.10) from x.y.z.w (x.y.z.w) Origin IGP, metric 4200, localpref 60, weight 0, internal, valid, best Last update: 00:11:13 ago Communities: 0:5429 0:6719 0:8241 0:8636 0:8641 0:24955 0:25478 0:25532 0:29000 0:29319 0:30784 0:31225 0:41349 0:41475 0:42511 0:42754 0:43973 0:44020 0:44053 0:44281 0:47104 0:47119 0:47321 0:48166 0:48293 0:48297 0:48781 0:49060 0:49124 0:50384 0:50448 0:50577 0:50911 0:50952 0:56462 0:57073 0:57363 1299:150 3249:10643 3249:11000 3249:11001 3356:90 6854:1009 6854:1509 6854:1605 6854:1665 8359:2094 8631:8631 8744:52994 8744:53124 8744:53134 8744:59994 12389:6992 12389:7130 12389:7993 12389:8020 12389:8995 25478:10011 25478:10931 25478:24000 25478:29000 31133:10008 31133:25002 Originator Id: x.y.z.w Cluster ID List: x.y.z.w z.x.y.w -- rix Index: usr.sbin/bgpctl/bgpctl.c === RCS file: /OpenBSD/src/usr.sbin/bgpctl/bgpctl.c,v retrieving revision 1.173 diff -u -p -r1.173 bgpctl.c --- usr.sbin/bgpctl/bgpctl.c 13 Nov 2013 22:52:41 - 1.173 +++ usr.sbin/bgpctl/bgpctl.c 3 Mar 2014 13:21:23 - @@ -1346,7 +1346,6 @@ show_attr(void *b, u_int16_t len) u_int16_talen, ioff; u_int8_t flags, type; - data = b; if (len 3) errx(1, show_attr: too short bgp attr); @@ -1362,7 +1361,7 @@ show_attr(void *b, u_int16_t len) data += 4; len -= 4; } else { - alen = data[2]; + alen = (u_char)data[2]; data += 3; len -= 3; } -- I'm not entirely sure you are real.