From d38427aacd11eb2a632cdfa0d680cb4f6603511c Mon Sep 17 00:00:00 2001 From: claudio Date: Thu, 7 May 2026 20:35:19 +0000 Subject: [PATCH] Use unsigned int for the length variable when traversing the others array. Doing this in all places now after fixing an overflow in attr_optadd(). OK tb@ deraadt@ --- usr.sbin/bgpd/mrt.c | 5 +++-- usr.sbin/bgpd/rde.c | 6 +++--- usr.sbin/bgpd/rde_attr.c | 22 ++++++++++++++-------- usr.sbin/bgpd/rde_update.c | 5 +++-- 4 files changed, 23 insertions(+), 15 deletions(-) diff --git a/usr.sbin/bgpd/mrt.c b/usr.sbin/bgpd/mrt.c index 434a7da0e13..aaaf24afee0 100644 --- a/usr.sbin/bgpd/mrt.c +++ b/usr.sbin/bgpd/mrt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mrt.c,v 1.134 2026/02/17 14:06:44 claudio Exp $ */ +/* $OpenBSD: mrt.c,v 1.135 2026/05/07 20:35:19 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Claudio Jeker @@ -222,9 +222,10 @@ mrt_attr_dump(struct ibuf *buf, struct rde_aspath *a, struct rde_community *c, struct attr *oa; u_char *pdata; uint32_t tmp; + unsigned int l; int neednewpath = 0; uint16_t plen, afi; - uint8_t l, safi; + uint8_t safi; /* origin */ if (attr_writebuf(buf, ATTR_WELL_KNOWN, ATTR_ORIGIN, diff --git a/usr.sbin/bgpd/rde.c b/usr.sbin/bgpd/rde.c index c9e4fdd7896..fe670cd5304 100644 --- a/usr.sbin/bgpd/rde.c +++ b/usr.sbin/bgpd/rde.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde.c,v 1.696 2026/05/07 09:42:26 claudio Exp $ */ +/* $OpenBSD: rde.c,v 1.697 2026/05/07 20:35:19 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -2923,7 +2923,7 @@ rde_dump_rib_as(struct prefix *p, struct rde_aspath *asp, pid_t pid, int flags) struct rde_peer *peer; monotime_t staletime; size_t aslen; - uint8_t l; + unsigned int l; nexthop = prefix_nexthop(p); peer = prefix_peer(p); @@ -3041,7 +3041,7 @@ rde_dump_adjout_as(struct rde_peer *peer, struct pt_entry *pte, struct rde_aspath *asp; struct nexthop *nexthop; size_t aslen; - uint8_t l; + unsigned int l; nexthop = attrs->nexthop; asp = attrs->aspath; diff --git a/usr.sbin/bgpd/rde_attr.c b/usr.sbin/bgpd/rde_attr.c index faaad41bb84..7174cc08768 100644 --- a/usr.sbin/bgpd/rde_attr.c +++ b/usr.sbin/bgpd/rde_attr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde_attr.c,v 1.143 2026/05/05 08:37:45 claudio Exp $ */ +/* $OpenBSD: rde_attr.c,v 1.144 2026/05/07 20:35:19 claudio Exp $ */ /* * Copyright (c) 2004 Claudio Jeker @@ -152,7 +152,7 @@ attr_optadd(struct rde_aspath *asp, uint8_t flags, uint8_t type, struct attr * attr_optget(const struct rde_aspath *asp, uint8_t type) { - uint8_t l; + unsigned int l; for (l = 0; l < asp->others_len; l++) { if (asp->others[l] == NULL) @@ -168,7 +168,7 @@ attr_optget(const struct rde_aspath *asp, uint8_t type) void attr_copy(struct rde_aspath *t, const struct rde_aspath *s) { - uint8_t l; + unsigned int l; if (t->others != NULL) attr_freeall(t); @@ -208,22 +208,25 @@ attr_eq(const struct attr *oa, const struct attr *ob) int attr_equal(const struct rde_aspath *a, const struct rde_aspath *b) { - uint8_t l; + unsigned int l; if (a->others_len != b->others_len) return (0); - for (l = 0; l < a->others_len; l++) + for (l = 0; l < a->others_len; l++) { if (a->others[l] != b->others[l]) return (0); + if (a->others[l] == NULL) + break; + } return (1); } void attr_free(struct rde_aspath *asp, struct attr *attr) { - uint8_t l; + unsigned int l; - for (l = 0; l < asp->others_len; l++) + for (l = 0; l < asp->others_len; l++) { if (asp->others[l] == attr) { attr_put(asp->others[l]); for (++l; l < asp->others_len; l++) @@ -231,6 +234,9 @@ attr_free(struct rde_aspath *asp, struct attr *attr) asp->others[asp->others_len - 1] = NULL; return; } + if (asp->others[l] == NULL) + break; + } /* no realloc() because the slot may be reused soon */ } @@ -238,7 +244,7 @@ attr_free(struct rde_aspath *asp, struct attr *attr) void attr_freeall(struct rde_aspath *asp) { - uint8_t l; + unsigned int l; for (l = 0; l < asp->others_len; l++) attr_put(asp->others[l]); diff --git a/usr.sbin/bgpd/rde_update.c b/usr.sbin/bgpd/rde_update.c index a78d218f624..5e9ce195e1e 100644 --- a/usr.sbin/bgpd/rde_update.c +++ b/usr.sbin/bgpd/rde_update.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde_update.c,v 1.193 2026/02/11 10:24:57 claudio Exp $ */ +/* $OpenBSD: rde_update.c,v 1.194 2026/05/07 20:35:19 claudio Exp $ */ /* * Copyright (c) 2004 Claudio Jeker @@ -591,9 +591,10 @@ up_generate_attr(struct ibuf *buf, struct rde_peer *peer, struct attr *oa = NULL, *newaggr = NULL; u_char *pdata; uint32_t tmp32; + unsigned int oalen = 0; int flags, neednewpath = 0, rv; uint16_t plen; - uint8_t oalen = 0, type; + uint8_t type; if (asp->others_len > 0) oa = asp->others[oalen++];