[bgpd] Bug #354: Take care to keep reads of MP_(UN)REACH_NLRI in bounds

2007-04-08 Paul Jakma <paul.jakma@sun.com>

	* bgp_attr.c: (general) Bug #354: parsing of MP_REACH_NLRI and
	  MP_UNREACH_NLRI does not take sufficient care to ensure reads
	  from stream buffer stay in-bounds. Hence bgpd may attempt to read
	  beyond end of stream, if given a crafted packet. As it uses the
	  stream access methods to do so, this will typically result in
	  assert() being hit in stream.c. Where code is compiled without
	  assert() enabled, result is unknown.
	  (struct message attr_str) should be static.
	  (bgp_mp_reach_parse) Carefully check length remaining in stream
	  against amount desired to read from stream, prior to each read,
	  particularly where lengths are conditional on data obtained from
	  stream - using STREAM_READABLE.
	  Remove code to parse SNPA-number, it's a defunct field and changed
	  to a fixed size in latest BGP MP update RFC - log warning if
	  SNPA-number is not 0.
	  (bgp_mp_unreach_parse) Check withdraw_length carefully against
	  STREAM_READABLE.
	  (bgp_attr_parse) If attribute-parser function returns error, log
	  warning.
	  Log attribute type on mismatch.

0 files changed, 0 insertions, 0 deletions