Quoting the above URL: [tcpdump-workers] bug in print-bgp.c * To: TCPDUMP Workers <tcpdump-workers>, TCPDUMP Patches <patches> * Subject: [tcpdump-workers] bug in print-bgp.c * From: Kaarthik Sivakumar <kaarthik> * Date: 16 Oct 2001 20:38:12 -0400 * Sender: owner-tcpdump-workers.on.ca * User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Capitol Reef) Hi folks There is a bug in bgp open message options parsing in print-bgp.c. The problem is in the line listed below. 554: for (i = 0; i < bgpo.bgpo_optlen; i++) { TCHECK2(opt[i], BGP_OPT_SIZE); memcpy(&bgpopt, &opt[i], BGP_OPT_SIZE); if (i + 2 + bgpopt.bgpopt_len > bgpo.bgpo_optlen) { printf(" [|opt %d %d]", bgpopt.bgpopt_len, bgpopt.bgpopt_type); break; } printf(" (option %s, len=%d)", bgp_opttype(bgpopt.bgpopt_type), bgpopt.bgpopt_len); i += BGP_OPT_SIZE + bgpopt.bgpopt_len; } The for loop should be for (i = 0; i < bgpo.bgpo_optlen; /* Nothing */ ) { since i is getting incremented within the for loop. This results in the i going one value too far into the options list and so memcpy of bgpopt results in incorrect value. A patch is attached that corrects it. I am not sure what the correct patch format is. I am sending a 'diff -ur'. The patch also contains the identification of the Capabilities optional parameter (parameter type 2) in 'char *bgpopt_type[]'. I had sent a patch earlier today to patches on print-mpls.c but I am not sure if I should send it to tcpdump-workers also. Could someone let me know about that? Thanks. Kaarthik --- print-bgp.c.orig Tue Oct 16 20:26:54 2001 +++ print-bgp.c Tue Oct 16 20:24:22 2001 @@ -131,7 +131,7 @@ #define bgp_type(x) num_or_str(bgptype, sizeof(bgptype)/sizeof(bgptype[0]), (x)) static const char *bgpopt_type[] = { - NULL, "Authentication Information", + NULL, "Authentication Information", "Capabilities Advertisement", }; #define bgp_opttype(x) \ num_or_str(bgpopt_type, sizeof(bgpopt_type)/sizeof(bgpopt_type[0]), (x)) @@ -551,7 +551,7 @@ opt = &((const struct bgp_open *)dat)->bgpo_optlen; opt++; - for (i = 0; i < bgpo.bgpo_optlen; i++) { + for (i = 0; i < bgpo.bgpo_optlen; /* Nothing */ ) { TCHECK2(opt[i], BGP_OPT_SIZE); memcpy(&bgpopt, &opt[i], BGP_OPT_SIZE); if (i + 2 + bgpopt.bgpopt_len > bgpo.bgpo_optlen) {
*** This bug has been marked as a duplicate of 82995 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.