80152 – Bug in print-bgp.c

Bug 80152 - Bug in print-bgp.c

Summary: Bug in print-bgp.c

Keywords:
Status:	CLOSED DUPLICATE of bug 82995
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	tcpdump
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Harald Hoyer
QA Contact:
Docs Contact:
URL:	http://www.tcpdump.org/lists/workers/...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-12-20 19:47 UTC by Eric Moret
Modified:	2008-05-01 15:38 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-02-21 18:50:29 UTC
Embargoed:

Attachments	(Terms of Use)

Description Eric Moret 2002-12-20 19:47:19 UTC

Quoting the above URL:

[tcpdump-workers] bug in print-bgp.c

    * To: TCPDUMP Workers <tcpdump-workers>, TCPDUMP Patches
<patches>
    * Subject: [tcpdump-workers] bug in print-bgp.c
    * From: Kaarthik Sivakumar <kaarthik>
    * Date: 16 Oct 2001 20:38:12 -0400
    * Sender: owner-tcpdump-workers.on.ca
    * User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Capitol Reef)

Hi folks

There is a bug in bgp open message options parsing in print-bgp.c. The
problem is in the line listed below.

554:    for (i = 0; i < bgpo.bgpo_optlen; i++) {
                TCHECK2(opt[i], BGP_OPT_SIZE);
                memcpy(&bgpopt, &opt[i], BGP_OPT_SIZE);
                if (i + 2 + bgpopt.bgpopt_len > bgpo.bgpo_optlen) {
			printf(" [|opt %d %d]", bgpopt.bgpopt_len, bgpopt.bgpopt_type);
			break;
		}

		printf(" (option %s, len=%d)", bgp_opttype(bgpopt.bgpopt_type),
			bgpopt.bgpopt_len);
		i += BGP_OPT_SIZE + bgpopt.bgpopt_len;
	}

The for loop should be 

        for (i = 0; i < bgpo.bgpo_optlen; /* Nothing */ ) {

since i is getting incremented within the for loop. This results in
the i going one value too far into the options list and so memcpy of
bgpopt results in incorrect value. A patch is attached that corrects
it. I am not sure what the correct patch format is. I am sending a
'diff -ur'.

The patch also contains the identification of the Capabilities
optional parameter (parameter type 2) in 'char *bgpopt_type[]'.

I had sent a patch earlier today to patches on
print-mpls.c but I am not sure if I should send it to tcpdump-workers
also. Could someone let me know about that? Thanks.

Kaarthik


--- print-bgp.c.orig	Tue Oct 16 20:26:54 2001
+++ print-bgp.c	Tue Oct 16 20:24:22 2001
@@ -131,7 +131,7 @@
 #define bgp_type(x) num_or_str(bgptype, sizeof(bgptype)/sizeof(bgptype[0]), (x))
 
 static const char *bgpopt_type[] = {
-	NULL, "Authentication Information",
+  NULL, "Authentication Information", "Capabilities Advertisement",
 };
 #define bgp_opttype(x) \
 	num_or_str(bgpopt_type, sizeof(bgpopt_type)/sizeof(bgpopt_type[0]), (x))
@@ -551,7 +551,7 @@
 	opt = &((const struct bgp_open *)dat)->bgpo_optlen;
 	opt++;
 
-	for (i = 0; i < bgpo.bgpo_optlen; i++) {
+	for (i = 0; i < bgpo.bgpo_optlen; /* Nothing */ ) {
 		TCHECK2(opt[i], BGP_OPT_SIZE);
 		memcpy(&bgpopt, &opt[i], BGP_OPT_SIZE);
 		if (i + 2 + bgpopt.bgpopt_len > bgpo.bgpo_optlen) {

Comment 1 Harald Hoyer 2003-02-12 14:01:55 UTC


*** This bug has been marked as a duplicate of 82995 ***

Comment 2 Red Hat Bugzilla 2006-02-21 18:50:29 UTC

Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.