commit 5bcd754ff8d7947978acb44e77dcab323973fb1e
author Daniel Walton <dwalton@cumulusnetworks.com> Tue May 19 17:58:10 2015 -0700
committer Paul Jakma <paul.jakma@hpe.com> Tue Oct 04 13:07:52 2016 +0100
tree 75fab09b53d3d810d327d8569e0f1e289550f941
parent 6c6c1bf0fc66713cb0b3448a4323042f44016502

bgpd: crash if attributes alone consume > 4096 bytes

This patch fixes a crash if attributes on a patch consume
more than 4096 bytes.

Signed-off-by: Daniel Walton <dwalton@cumulusnetworks.com>

bgpd/bgpd.c

diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index 669782d..010e224 100644
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -868,7 +868,19 @@
   /* Create buffers.  */
   peer->ibuf = stream_new (BGP_MAX_PACKET_SIZE);
   peer->obuf = stream_fifo_new ();
-  peer->work = stream_new (BGP_MAX_PACKET_SIZE);
+
+  /* We use a larger buffer for peer->work in the event that:
+   * - We RX a BGP_UPDATE where the attributes alone are just
+   *   under BGP_MAX_PACKET_SIZE
+   * - The user configures an outbound route-map that does many as-path
+   *   prepends or adds many communities.  At most they can have CMD_ARGC_MAX
+   *   args in a route-map so there is a finite limit on how large they can
+   *   make the attributes.
+   *
+   * Having a buffer with BGP_MAX_PACKET_SIZE_OVERFLOW allows us to avoid bounds
+   * checking for every single attribute as we construct an UPDATE.
+   */
+  peer->work = stream_new (BGP_MAX_PACKET_SIZE + BGP_MAX_PACKET_SIZE_OVERFLOW);
   peer->scratch = stream_new (BGP_MAX_PACKET_SIZE);
 
   bgp_sync_init (peer);