Re: system/5052: abend in bgpd

[Claudio Jeker <claudio_(_at_)_openbsd_(_dot_)_org>]

The following reply was made to PR system/5052; it has been noted by GNATS.

From: Claudio Jeker <claudio_(_at_)_openbsd_(_dot_)_org>
To: pvickers_(_at_)_broadpark_(_dot_)_no
Cc: gnats_(_at_)_openbsd_(_dot_)_org, Henning Brauer <henning_(_at_)_openbsd_(_dot_)_org>
Subject: Re: system/5052: abend in bgpd
Date: Sun, 12 Mar 2006 22:10:26 +0100

 On Sun, Mar 12, 2006 at 07:52:27PM +0100, pvickers_(_at_)_broadpark_(_dot_)_no wrote:
 > >Number:         5052
 > >Category:       system
 > >Synopsis:       bgpd crashes when fed junk in its control socket
 > >Confidential:   yes
 > >Severity:       non-critical
 > >Priority:       low
 > >Responsible:    bugs
 > >State:          open
 > >Quarter:        
 > >Keywords:       
 > >Date-Required:
 > >Class:          sw-bug
 > >Submitter-Id:   net
 > >Arrival-Date:   Sun Mar 12 20:10:02 GMT 2006
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Pete Vickers
 > >Release:        3.9-current
 > >Organization:
 > systemnet
 > >Environment:
 > 	
 > 	System      : OpenBSD 3.9
 > 	Architecture: OpenBSD.i386
 > 	Machine     : i386
 > >Description:
 > I'm playing with distrubing spam blacklists via bgp with my net. I have a route server which I load up with spam hosts gleened from spam blacklists, and then routers can peer with the route server and dynmaically aquire the blacklist(s). 
 > I fed bgpd something stupid via it's control socket (admittedly as root) and bgpd crashed, which I think should be protected against.
 > >How-To-Repeat:
 >  fire up bgpd, then run:  #lynx -dump -dont_wrap_pre www.openbsd.org/spamd/spews_list_level1.txt.gz | awk ' /^[0-9]+/ {  while ( "bgpctl network add $1" | getline ) print } ' as superuser
 > >Fix:
 >         bgpd should probably validate input before processing it... and I should write better shell scripts to feed bgpd correctly.
 > 
 > 
 > >Release-Note:
 > >Audit-Trail:
 > >Unformatted:
 > 
 
 Could you try the following diff? This seems to fix the problem for me.
 
 -- 
 :wq Claudio
 
 Index: rde.c
 ===================================================================
 RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
 retrieving revision 1.200
 diff -u -p -r1.200 rde.c
 --- rde.c	10 Feb 2006 14:34:40 -0000	1.200
 +++ rde.c	12 Mar 2006 21:05:52 -0000
 @@ -343,7 +343,22 @@ rde_dispatch_imsg_session(struct imsgbuf
  				break;
  			}
  			session_set = NULL;
 -			network_add(&netconf_s, 0);
 +			switch (netconf_s.prefix.af) {
 +			case AF_INET:
 +				if (netconf_s.prefixlen > 32)
 +					goto badnet;
 +				network_add(&netconf_s, 0);
 +				break;
 +			case AF_INET6:
 +				if (netconf_s.prefixlen > 128)
 +					goto badnet;
 +				network_add(&netconf_s, 0);
 +				break;
 +			default:
 +badnet:
 +				log_warnx("rde_dispatch: bad network");
 +				break;
 +			}
  			break;
  		case IMSG_NETWORK_REMOVE:
  			if (imsg.hdr.len - IMSG_HEADER_SIZE !=