From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: bgpd: tohex handle len = 0 gracefully
To: tech@openbsd.org
Date: Tue, 4 Nov 2025 15:20:58 +0100

If tohex is called with len = 0 then the code will write '\0' to
out[-1] which is bad. Right now tohex() is never called with len == 0
but lets make this more obvious.

Fixes CID 492344
-- 
:wq Claudio

Index: logmsg.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/logmsg.c,v
diff -u -p -r1.17 logmsg.c
--- logmsg.c	30 Oct 2025 12:43:18 -0000	1.17
+++ logmsg.c	4 Nov 2025 14:18:45 -0000
@@ -135,6 +135,8 @@ tohex(const unsigned char *in, size_t le
 	static char out[(16 + 1) * 3];
 	size_t i, o = 0;
 
+	if (len == 0)
+		return "";
 	if (len > 16)
 		len = 16;
 	for (i = 0; i < len; i++) {
@@ -269,9 +271,8 @@ log_notification(const struct peer *peer
 			size_t len = sizeof(buf);
 			if (ibuf_size(&ibuf) < len)
 				len = ibuf_size(&ibuf);
-			if (ibuf_get(&ibuf, buf, len) == -1) {
+			if (ibuf_get(&ibuf, buf, len) == -1)
 				break;
-			}
 			logit(LOG_INFO, "   %5zu: %s", off, tohex(buf, len));
 			off += len;
 		}