aspath_extract() should do at least a minimal overflow check and not
access memory after the segment. Can't use fatalx here because bgpctl
also uses this function. Instead return 0, that is an invalid ASN.
No code will check the return value but that is fine since all callers
ensure that pos does not overflow.
--
:wq Claudio
Index: util.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/util.c,v
retrieving revision 1.69
diff -u -p -r1.69 util.c
--- util.c 28 Jun 2022 05:49:05 -0000 1.69
+++ util.c 28 Jun 2022 08:31:10 -0000
@@ -364,7 +364,7 @@ aspath_strlen(void *data, uint16_t len)
/*
* Extract the asnum out of the as segment at the specified position.
* Direct access is not possible because of non-aligned reads.
- * ATTENTION: no bounds checks are done.
+ * Only works on verified 4-byte AS paths.
*/
uint32_t
aspath_extract(const void *seg, int pos)
@@ -372,6 +372,9 @@ aspath_extract(const void *seg, int pos)
const u_char *ptr = seg;
uint32_t as;
+ /* minimal overflow check, return 0 since that is an invalid ASN */
+ if (pos >= ptr[1])
+ return (0);
ptr += 2 + sizeof(uint32_t) * pos;
memcpy(&as, ptr, sizeof(uint32_t));
return (ntohl(as));
