Re: system/5052: abend in bgpd

[Pete Vickers <pvickers_(_at_)_broadpark_(_dot_)_no>]

The following reply was made to PR system/5052; it has been noted by GNATS.

From: Pete Vickers <pvickers_(_at_)_broadpark_(_dot_)_no>
To: Claudio Jeker <claudio_(_at_)_openbsd_(_dot_)_org>
Cc: gnats_(_at_)_openbsd_(_dot_)_org, Henning Brauer <henning_(_at_)_openbsd_(_dot_)_org>
Subject: Re: system/5052: abend in bgpd
Date: Sun, 12 Mar 2006 22:32:31 +0100

 On 12. mar. 2006, at 22.10, Claudio Jeker wrote:
 
 > On Sun, Mar 12, 2006 at 07:52:27PM +0100, pvickers_(_at_)_broadpark_(_dot_)_no wrote:
 >>> Number:         5052
 >>> Category:       system
 >>> Synopsis:       bgpd crashes when fed junk in its control socket
 >>> Confidential:   yes
 >>> Severity:       non-critical
 >>> Priority:       low
 >>> Responsible:    bugs
 >>> State:          open
 >>> Quarter:
 >>> Keywords:
 >>> Date-Required:
 >>> Class:          sw-bug
 >>> Submitter-Id:   net
 >>> Arrival-Date:   Sun Mar 12 20:10:02 GMT 2006
 >>> Closed-Date:
 >>> Last-Modified:
 >>> Originator:     Pete Vickers
 >>> Release:        3.9-current
 >>> Organization:
 >> systemnet
 >>> Environment:
 >> 	
 >> 	System      : OpenBSD 3.9
 >> 	Architecture: OpenBSD.i386
 >> 	Machine     : i386
 >>> Description:
 >> I'm playing with distrubing spam blacklists via bgp with my net. I  
 >> have a route server which I load up with spam hosts gleened from  
 >> spam blacklists, and then routers can peer with the route server  
 >> and dynmaically aquire the blacklist(s).
 >> I fed bgpd something stupid via it's control socket (admittedly as  
 >> root) and bgpd crashed, which I think should be protected against.
 >>> How-To-Repeat:
 >>  fire up bgpd, then run:  #lynx -dump -dont_wrap_pre  
 >> www.openbsd.org/spamd/spews_list_level1.txt.gz | awk ' /^[0-9]+/  
 >> {  while ( "bgpctl network add $1" | getline ) print } ' as superuser
 >>> Fix:
 >>         bgpd should probably validate input before processing  
 >> it... and I should write better shell scripts to feed bgpd correctly.
 >>
 >>
 >>> Release-Note:
 >>> Audit-Trail:
 >>> Unformatted:
 >>
 >
 > Could you try the following diff? This seems to fix the problem for  
 > me.
 >
 > -- 
 > :wq Claudio
 >
 > Index: rde.c
 > ===================================================================
 > RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
 > retrieving revision 1.200
 > diff -u -p -r1.200 rde.c
 > --- rde.c	10 Feb 2006 14:34:40 -0000	1.200
 > +++ rde.c	12 Mar 2006 21:05:52 -0000
 > @@ -343,7 +343,22 @@ rde_dispatch_imsg_session(struct imsgbuf
 >  				break;
 >  			}
 >  			session_set = NULL;
 > -			network_add(&netconf_s, 0);
 > +			switch (netconf_s.prefix.af) {
 > +			case AF_INET:
 > +				if (netconf_s.prefixlen > 32)
 > +					goto badnet;
 > +				network_add(&netconf_s, 0);
 > +				break;
 > +			case AF_INET6:
 > +				if (netconf_s.prefixlen > 128)
 > +					goto badnet;
 > +				network_add(&netconf_s, 0);
 > +				break;
 > +			default:
 > +badnet:
 > +				log_warnx("rde_dispatch: bad network");
 > +				break;
 > +			}
 >  			break;
 >  		case IMSG_NETWORK_REMOVE:
 >  			if (imsg.hdr.len - IMSG_HEADER_SIZE !=
 
 
 Hi,
 
 now I get:
 
 $ tail /var/log/daemon
 Mar 12 22:29:53 dev bgpd[3875]: rde_dispatch: bad network
 
 much healthier :) thanks for ultra quick response.
 
 /Pete