bgpd: Correct a few fuzz failures in BGP
Testing revealed some issues with handling data input.
This patch fixes those issues.
Signed-off-by: Daniel Walton <dwalton@cumulusnetworks.com>
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 3b96bb2..f6d5d8e 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2157,9 +2157,11 @@
{
zlog (peer->log, LOG_WARNING,
"%s: BGP type %d length %d is too large, attribute total length is %d. attr_endp is %p. endp is %p", peer->host, type, length, size, attr_endp, endp);
- bgp_notify_send (peer,
- BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR);
+ zlog_warn ("%s: BGP type %d length %d is too large, attribute total length is %d. attr_endp is %p. endp is %p", peer->host, type, length, size, attr_endp, endp);
+ bgp_notify_send_with_data (peer,
+ BGP_NOTIFY_UPDATE_ERR,
+ BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+ startp, attr_endp - startp);
return BGP_ATTR_PARSE_ERROR;
}
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 9743d06..0c47ab5 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -1243,6 +1243,7 @@
int mp_capability;
u_int8_t notify_data_remote_as[2];
u_int8_t notify_data_remote_id[4];
+ u_int16_t *holdtime_ptr;
realpeer = NULL;
@@ -1250,6 +1251,7 @@
version = stream_getc (peer->ibuf);
memcpy (notify_data_remote_as, stream_pnt (peer->ibuf), 2);
remote_as = stream_getw (peer->ibuf);
+ holdtime_ptr = (u_int16_t *)stream_pnt (peer->ibuf);
holdtime = stream_getw (peer->ibuf);
memcpy (notify_data_remote_id, stream_pnt (peer->ibuf), 4);
remote_id.s_addr = stream_get_ipv4 (peer->ibuf);
@@ -1522,9 +1524,10 @@
if (holdtime < 3 && holdtime != 0)
{
- bgp_notify_send (peer,
- BGP_NOTIFY_OPEN_ERR,
- BGP_NOTIFY_OPEN_UNACEP_HOLDTIME);
+ bgp_notify_send_with_data (peer,
+ BGP_NOTIFY_OPEN_ERR,
+ BGP_NOTIFY_OPEN_UNACEP_HOLDTIME,
+ (u_int8_t *)holdtime_ptr, 2);
return -1;
}