Bug 80152 - Bug in print-bgp.c
Bug in print-bgp.c
Status: CLOSED DUPLICATE of bug 82995
Product: Red Hat Linux
Classification: Retired
Component: tcpdump (Show other bugs)
7.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
http://www.tcpdump.org/lists/workers/...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-12-20 14:47 EST by Eric Moret
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-21 13:50:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eric Moret 2002-12-20 14:47:19 EST
Quoting the above URL:

[tcpdump-workers] bug in print-bgp.c

    * To: TCPDUMP Workers <tcpdump-workers@tcpdump.org>, TCPDUMP Patches
<patches@tcpdump.org>
    * Subject: [tcpdump-workers] bug in print-bgp.c
    * From: Kaarthik Sivakumar <kaarthik@torrentnet.com>
    * Date: 16 Oct 2001 20:38:12 -0400
    * Sender: owner-tcpdump-workers@sandelman.ottawa.on.ca
    * User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Capitol Reef)

Hi folks

There is a bug in bgp open message options parsing in print-bgp.c. The
problem is in the line listed below.

554:    for (i = 0; i < bgpo.bgpo_optlen; i++) {
                TCHECK2(opt[i], BGP_OPT_SIZE);
                memcpy(&bgpopt, &opt[i], BGP_OPT_SIZE);
                if (i + 2 + bgpopt.bgpopt_len > bgpo.bgpo_optlen) {
			printf(" [|opt %d %d]", bgpopt.bgpopt_len, bgpopt.bgpopt_type);
			break;
		}

		printf(" (option %s, len=%d)", bgp_opttype(bgpopt.bgpopt_type),
			bgpopt.bgpopt_len);
		i += BGP_OPT_SIZE + bgpopt.bgpopt_len;
	}

The for loop should be 

        for (i = 0; i < bgpo.bgpo_optlen; /* Nothing */ ) {

since i is getting incremented within the for loop. This results in
the i going one value too far into the options list and so memcpy of
bgpopt results in incorrect value. A patch is attached that corrects
it. I am not sure what the correct patch format is. I am sending a
'diff -ur'.

The patch also contains the identification of the Capabilities
optional parameter (parameter type 2) in 'char *bgpopt_type[]'.

I had sent a patch earlier today to patches@tcpdump.org on
print-mpls.c but I am not sure if I should send it to tcpdump-workers
also. Could someone let me know about that? Thanks.

Kaarthik


--- print-bgp.c.orig	Tue Oct 16 20:26:54 2001
+++ print-bgp.c	Tue Oct 16 20:24:22 2001
@@ -131,7 +131,7 @@
 #define bgp_type(x) num_or_str(bgptype, sizeof(bgptype)/sizeof(bgptype[0]), (x))
 
 static const char *bgpopt_type[] = {
-	NULL, "Authentication Information",
+  NULL, "Authentication Information", "Capabilities Advertisement",
 };
 #define bgp_opttype(x) \
 	num_or_str(bgpopt_type, sizeof(bgpopt_type)/sizeof(bgpopt_type[0]), (x))
@@ -551,7 +551,7 @@
 	opt = &((const struct bgp_open *)dat)->bgpo_optlen;
 	opt++;
 
-	for (i = 0; i < bgpo.bgpo_optlen; i++) {
+	for (i = 0; i < bgpo.bgpo_optlen; /* Nothing */ ) {
 		TCHECK2(opt[i], BGP_OPT_SIZE);
 		memcpy(&bgpopt, &opt[i], BGP_OPT_SIZE);
 		if (i + 2 + bgpopt.bgpopt_len > bgpo.bgpo_optlen) {
Comment 1 Harald Hoyer 2003-02-12 09:01:55 EST

*** This bug has been marked as a duplicate of 82995 ***
Comment 2 Red Hat Bugzilla 2006-02-21 13:50:29 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.