mirror of
https://git.proxmox.com/git/mirror_frr
synced 2025-05-17 05:59:26 +00:00
bgpd: Make sure we are playing with non-NULL for bgp shutdown message
``` *** CID 1510738: Null pointer dereferences (FORWARD_NULL) /bgpd/bgp_vty.c: 4243 in bgp_shutdown_msg_magic() 4237 if (msgstr && strlen(msgstr) > BGP_ADMIN_SHUTDOWN_MSG_LEN) { 4238 vty_out(vty, "%% Shutdown message size exceeded %d\n", 4239 BGP_ADMIN_SHUTDOWN_MSG_LEN); 4240 return CMD_WARNING_CONFIG_FAILED; 4241 } 4242 >>> CID 1510738: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "msgstr" to "bgp_shutdown_enable", which dereferences it. 4243 bgp_shutdown_enable(bgp, msgstr); 4244 XFREE(MTYPE_TMP, msgstr); 4245 4246 return CMD_SUCCESS; 4247 } 4248 ``` ``` *** CID 1510737: Null pointer dereferences (REVERSE_INULL) /bgpd/bgpd.c: 4344 in bgp_shutdown_enable() 4338 /* continue, if peer is already in administrative shutdown. */ 4339 if (CHECK_FLAG(peer->flags, PEER_FLAG_SHUTDOWN)) 4340 continue; 4341 4342 /* send a RFC 4486 notification message if necessary */ 4343 if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) { >>> CID 1510737: Null pointer dereferences (REVERSE_INULL) >>> Null-checking "msg" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 4344 if (msg) 4345 bgp_notify_send_with_data( 4346 peer, BGP_NOTIFY_CEASE, 4347 BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN, data, 4348 datalen + 1); 4349 else ``` Signed-off-by: Donatas Abraitis <donatas.abraitis@gmail.com>
This commit is contained in:
parent
0064d4736d
commit
ed284e2338
17
bgpd/bgpd.c
17
bgpd/bgpd.c
@ -4320,10 +4320,6 @@ void bgp_shutdown_enable(struct bgp *bgp, const char *msg)
|
|||||||
struct listnode *node;
|
struct listnode *node;
|
||||||
/* length(1) + message(N) */
|
/* length(1) + message(N) */
|
||||||
uint8_t data[BGP_ADMIN_SHUTDOWN_MSG_LEN + 1];
|
uint8_t data[BGP_ADMIN_SHUTDOWN_MSG_LEN + 1];
|
||||||
size_t datalen = strlen(msg);
|
|
||||||
|
|
||||||
data[0] = datalen;
|
|
||||||
memcpy(data + 1, msg, datalen);
|
|
||||||
|
|
||||||
/* do nothing if already shut down */
|
/* do nothing if already shut down */
|
||||||
if (CHECK_FLAG(bgp->flags, BGP_FLAG_SHUTDOWN))
|
if (CHECK_FLAG(bgp->flags, BGP_FLAG_SHUTDOWN))
|
||||||
@ -4341,16 +4337,25 @@ void bgp_shutdown_enable(struct bgp *bgp, const char *msg)
|
|||||||
|
|
||||||
/* send a RFC 4486 notification message if necessary */
|
/* send a RFC 4486 notification message if necessary */
|
||||||
if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) {
|
if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) {
|
||||||
if (msg)
|
if (msg) {
|
||||||
|
size_t datalen = strlen(msg);
|
||||||
|
|
||||||
|
if (datalen > BGP_ADMIN_SHUTDOWN_MSG_LEN)
|
||||||
|
datalen = BGP_ADMIN_SHUTDOWN_MSG_LEN;
|
||||||
|
|
||||||
|
data[0] = datalen;
|
||||||
|
memcpy(data + 1, msg, datalen);
|
||||||
|
|
||||||
bgp_notify_send_with_data(
|
bgp_notify_send_with_data(
|
||||||
peer, BGP_NOTIFY_CEASE,
|
peer, BGP_NOTIFY_CEASE,
|
||||||
BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN, data,
|
BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN, data,
|
||||||
datalen + 1);
|
datalen + 1);
|
||||||
else
|
} else {
|
||||||
bgp_notify_send(
|
bgp_notify_send(
|
||||||
peer, BGP_NOTIFY_CEASE,
|
peer, BGP_NOTIFY_CEASE,
|
||||||
BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
|
BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* reset start timer to initial value */
|
/* reset start timer to initial value */
|
||||||
peer->v_start = BGP_INIT_START_TIMER;
|
peer->v_start = BGP_INIT_START_TIMER;
|
||||||
|
Loading…
Reference in New Issue
Block a user