diff options
| author | Claudio Jeker <claudio@cvs.openbsd.org> | 2023-05-25 14:20:26 +0000 |
|---|---|---|
| committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2023-05-25 14:20:26 +0000 |
| commit | c54adb2f5c93bc00c6dca504f31f3af55c58008e (patch) | |
| tree | bca1a9babb04d3f7278cc07639877466a6b24ddf | |
| parent | 8325393045143409315e7b00cd2f05b17761c753 (diff) | |
In session_process_msg() recheck the validity of the rbuf before moving
the remaining data around.
There is an improbable case where a NOTIFICATION is received while also
reaching the MSG_PROCESS_LIMIT. In this case rbuf is NULL when breaking
out of the for loop and hitting this code.
sthen@ is the (un)lucky person to hit that improbable case
OK tb@ sthen@
| -rw-r--r-- | usr.sbin/bgpd/session.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index c8debdb4d15..543b6bfedab 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.444 2023/05/05 07:28:08 claudio Exp $ */ +/* $OpenBSD: session.c,v 1.445 2023/05/25 14:20:25 claudio Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org> @@ -1998,6 +1998,8 @@ session_process_msg(struct peer *p) } } + if (p->rbuf == NULL) + return; if (rpos < av) { left = av - rpos; memmove(&p->rbuf->buf, p->rbuf->buf + rpos, left); |