bgpd: Open option parse errors don't NOTIFY, resulting in abort & DoS

* bgp_packet.c: (bgp_open_receive) Errors from bgp_open_option_parse are
  detected, and the code will stop processing the OPEN and return.  However
  it does so without calling bgp_notify_send to send a NOTIFY - which means
  the peer FSM doesn't get stopped, and bgp_read will be called again later.
  Because it returns, it doesn't go through the code near the end of the
  function that removes the current message from the peer input streaam.
  Thus the next call to bgp_read will try to parse a half-parsed stream as
  if it were a new BGP message, leading to an assert later in the code when
  it tries to read stuff that isn't there. Add the required call to
  bgp_notify_send before returning.
* bgp_open.c: (bgp_capability_as4) Be a bit stricter, check the length field
  corresponds to the only value it can be, which is the amount we're going to
  read off the stream. And make sure the capability flag gets set, so
  callers can know this capability was read, regardless.
  (peek_for_as4_capability) Let bgp_capability_as4 do the length check.

0 files changed, 0 insertions, 0 deletions