summaryrefslogtreecommitdiffstats
path: root/bgpd/bgp_packet.c
diff options
context:
space:
mode:
authorTom Grennan <tgrennan@vyatta.com>2008-04-10 21:56:49 +0000
committerTom Grennan <tgrennan@vyatta.com>2008-04-10 21:56:49 +0000
commitc1bdabf8dd2f22a33fdc35b70b93e871f179445d (patch)
tree570e66e842fc556fc643e97aa37e0183ded19f56 /bgpd/bgp_packet.c
parentdb59fcc9e02b5755a92e4d2913420c1e09e05517 (diff)
parent9334b80b2c84f33d0d749b4a172f1d87a77a8544 (diff)
downloadquagga-c1bdabf8dd2f22a33fdc35b70b93e871f179445d.tar.bz2
quagga-c1bdabf8dd2f22a33fdc35b70b93e871f179445d.tar.xz
Merge branch 'upstream' into hollywood
Conflicts: ChangeLog zebra/zebra_rib.c
Diffstat (limited to 'bgpd/bgp_packet.c')
-rw-r--r--bgpd/bgp_packet.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 2b56259b..e8f77f10 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -1960,11 +1960,14 @@ bgp_route_refresh_receive (struct peer *peer, bgp_size_t size)
when_to_refresh = stream_getc (s);
end = stream_pnt (s) + (size - 5);
- while (stream_pnt (s) < end)
+ while ((stream_pnt (s) + 2) < end)
{
orf_type = stream_getc (s);
orf_len = stream_getw (s);
-
+
+ /* orf_len in bounds? */
+ if ((stream_pnt (s) + orf_len) > end)
+ break; /* XXX: Notify instead?? */
if (orf_type == ORF_TYPE_PREFIX
|| orf_type == ORF_TYPE_PREFIX_OLD)
{
@@ -1984,6 +1987,12 @@ bgp_route_refresh_receive (struct peer *peer, bgp_size_t size)
peer->host, orf_type, orf_len);
}
+ /* we're going to read at least 1 byte of common ORF header,
+ * and 7 bytes of ORF Address-filter entry from the stream
+ */
+ if (orf_len < 7)
+ break;
+
/* ORF prefix-list name */
sprintf (name, "%s.%d.%d", peer->host, afi, safi);
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-14 15:24:25 +0000