Fix aspath_prepend() in the case a AS-PATH has a sequence of 255 elements

and we try to prepend. The result was a corrupt AS-PATH and a RDE fatal
later on when some other operation was run on that path.
Found the hard way by henning@ and sthen@. OK henning@, sthen@

1 files changed, 7 insertions, 2 deletions

diff --git a/usr.sbin/bgpd/rde_attr.c b/usr.sbin/bgpd/rde_attr.c
index 07805720f4c..19bbce3126f 100644
--- a/usr.sbin/bgpd/rde_attr.c
+++ b/usr.sbin/bgpd/rde_attr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rde_attr.c,v 1.77 2009/01/13 21:35:16 sthen Exp $ */
+/*	$OpenBSD: rde_attr.c,v 1.78 2009/02/17 14:10:48 claudio Exp $ */
 
 /*
  * Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
@@ -832,6 +832,8 @@ aspath_prepend(struct aspath *asp, u_int32_t as, int quantum, u_int16_t *len)
 		size = 0;
 	}
 
+	if (quantum > 255)
+		fatalx("aspath_prepend: preposterous prepend");
 	if (quantum == 0) {
 		/* no change needed but return a copy */
 		p = malloc(asp->len);
@@ -843,7 +845,10 @@ aspath_prepend(struct aspath *asp, u_int32_t as, int quantum, u_int16_t *len)
 	} else if (type == AS_SET || size + quantum > 255) {
 		/* need to attach a new AS_SEQUENCE */
 		l = 2 + quantum * sizeof(u_int32_t) + asp->len;
-		overflow = type == AS_SET ? quantum : (size + quantum) & 0xff;
+		if (type == AS_SET)
+			overflow = quantum;
+		else
+			overflow = size + quantum - 255;
 	} else
 		l = quantum * sizeof(u_int32_t) + asp->len;