Re: bgpd trigger error on pt_fill abuse

Tue, 28 Mar 2023 10:00:27 -0700 

On Tue, Mar 28, 2023 at 06:49:38PM +0200, Claudio Jeker wrote:
> I almost stepped into this trap and tried to pt_ref the static memory
> returned by pt_fill(). That wont work so better make the code explode.
> By setting the refcnt to USHRT_MAX a following pr_ref() call will fail.
> Since pt_alloc copies the passed data structure reset the refcnt to 0 there.
> 
> I think this is a reasonable change to protect from silly but hard to spot
> mistakes.

Yes. That absolutely makes sense.

ok tb

> -- 
> :wq Claudio
> 
> Index: rde_prefix.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/rde_prefix.c,v
> retrieving revision 1.45
> diff -u -p -r1.45 rde_prefix.c
> --- rde_prefix.c      28 Mar 2023 15:17:34 -0000      1.45
> +++ rde_prefix.c      28 Mar 2023 16:36:33 -0000
> @@ -21,6 +21,7 @@
>  
>  #include <endian.h>
>  #include <errno.h>
> +#include <limits.h>
>  #include <stdlib.h>
>  #include <string.h>
>  
> @@ -162,6 +163,7 @@ pt_fill(struct bgpd_addr *prefix, int pr
>       switch (prefix->aid) {
>       case AID_INET:
>               memset(&pte4, 0, sizeof(pte4));
> +             pte4.refcnt = USHRT_MAX;
>               pte4.aid = prefix->aid;
>               if (prefixlen > 32)
>                       fatalx("pt_fill: bad IPv4 prefixlen");
> @@ -170,6 +172,7 @@ pt_fill(struct bgpd_addr *prefix, int pr
>               return ((struct pt_entry *)&pte4);
>       case AID_INET6:
>               memset(&pte6, 0, sizeof(pte6));
> +             pte6.refcnt = USHRT_MAX;
>               pte6.aid = prefix->aid;
>               if (prefixlen > 128)
>                       fatalx("pt_fill: bad IPv6 prefixlen");
> @@ -178,6 +181,7 @@ pt_fill(struct bgpd_addr *prefix, int pr
>               return ((struct pt_entry *)&pte6);
>       case AID_VPN_IPv4:
>               memset(&pte_vpn4, 0, sizeof(pte_vpn4));
> +             pte_vpn4.refcnt = USHRT_MAX;
>               pte_vpn4.aid = prefix->aid;
>               if (prefixlen > 32)
>                       fatalx("pt_fill: bad IPv4 prefixlen");
> @@ -190,6 +194,7 @@ pt_fill(struct bgpd_addr *prefix, int pr
>               return ((struct pt_entry *)&pte_vpn4);
>       case AID_VPN_IPv6:
>               memset(&pte_vpn6, 0, sizeof(pte_vpn6));
> +             pte_vpn6.refcnt = USHRT_MAX;
>               pte_vpn6.aid = prefix->aid;
>               if (prefixlen > 128)
>                       fatalx("pt_get: bad IPv6 prefixlen");
> @@ -360,6 +365,7 @@ pt_alloc(struct pt_entry *op)
>       rdemem.pt_cnt[op->aid]++;
>       rdemem.pt_size[op->aid] += pt_sizes[op->aid];
>       memcpy(p, op, pt_sizes[op->aid]);
> +     p->refcnt = 0;
>  
>       return (p);
>  }
>

Reply via email to