diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2015-02-11 05:48:54 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2015-02-11 05:48:54 +0000 |
| commit | 9d152e63a50c863c94cf331facf969fd198c2873 (patch) | |
| tree | 0734657f9d451748c34efa4cc0947f9eb3b3b85e | |
| parent | ba774b6adaeb35410abadbeb117292689f9fcef1 (diff) | |
Use sizeof(u_short) in the first check since there are RT messages that
are less then sizeof(*rtm) bytes long (e.g. interface announcements).
Found the hard way by phessler@
| -rw-r--r-- | usr.sbin/bgpd/kroute.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/usr.sbin/bgpd/kroute.c b/usr.sbin/bgpd/kroute.c index b309656fc15..99060908ec3 100644 --- a/usr.sbin/bgpd/kroute.c +++ b/usr.sbin/bgpd/kroute.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kroute.c,v 1.201 2015/02/10 05:18:39 claudio Exp $ */ +/* $OpenBSD: kroute.c,v 1.202 2015/02/11 05:48:53 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> @@ -3038,7 +3038,7 @@ dispatch_rtmsg(void) lim = buf + n; for (next = buf; next < lim; next += rtm->rtm_msglen) { rtm = (struct rt_msghdr *)next; - if (lim < next + sizeof(*rtm) || + if (lim < next + sizeof(u_short) || lim < next + rtm->rtm_msglen) fatalx("dispatch_rtmsg: partial rtm in buffer"); if (rtm->rtm_version != RTM_VERSION) |