diff options
| author | Ondrej Zajicek <santiago@crfreenet.org> | 2010-07-22 15:09:35 +0200 |
|---|---|---|
| committer | Ondrej Zajicek <santiago@crfreenet.org> | 2010-07-22 15:09:35 +0200 |
| commit | 852b7062e33b9886eb869fac8b9354497c49b126 (patch) | |
| tree | acdd88ced9d2e223241be82c063f34a03f0c7ae0 | |
| parent | 7873e9828ff7ba7203fd30ffa7d50859d583d4ca (diff) | |
| download | bird-852b7062e33b9886eb869fac8b9354497c49b126.tar bird-852b7062e33b9886eb869fac8b9354497c49b126.zip | |
Fixes a buffer overflow in TX code of IPv6 BGP.
| -rw-r--r-- | nest/rt-table.c | 2 | ||||
| -rw-r--r-- | proto/bgp/packets.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/nest/rt-table.c b/nest/rt-table.c index b525694..f40cc80 100644 --- a/nest/rt-table.c +++ b/nest/rt-table.c @@ -354,7 +354,7 @@ rte_validate(rte *e) int c; net *n = e->net; - if (ipa_nonzero(ipa_and(n->n.prefix, ipa_not(ipa_mkmask(n->n.pxlen))))) + if ((n->n.pxlen > BITS_PER_IP_ADDRESS) || !ip_is_prefix(n->n.prefix,n->n.pxlen)) { log(L_BUG "Ignoring bogus prefix %I/%d received via %s", n->n.prefix, n->n.pxlen, e->sender->name); diff --git a/proto/bgp/packets.c b/proto/bgp/packets.c index 6e23022..ba43cd2 100644 --- a/proto/bgp/packets.c +++ b/proto/bgp/packets.c @@ -219,7 +219,7 @@ bgp_encode_prefixes(struct bgp_proto *p, byte *w, struct bgp_bucket *buck, unsig ip_addr a; int bytes; - while (!EMPTY_LIST(buck->prefixes) && remains >= 5) + while (!EMPTY_LIST(buck->prefixes) && remains >= (1+sizeof(ip_addr))) { struct bgp_prefix *px = SKIP_BACK(struct bgp_prefix, bucket_node, HEAD(buck->prefixes)); DBG("\tDequeued route %I/%d\n", px->n.prefix, px->n.pxlen); |