From: Theo Buehler <tb@theobuehler.org>
Subject: Re: bgpd: tohex handle len = 0 gracefully
To: tech@openbsd.org
Date: Tue, 4 Nov 2025 15:34:58 +0100

On Tue, Nov 04, 2025 at 03:20:58PM +0100, Claudio Jeker wrote:
> If tohex is called with len = 0 then the code will write '\0' to
> out[-1] which is bad. Right now tohex() is never called with len == 0
> but lets make this more obvious.

ok tb

> 
> Fixes CID 492344
> -- 
> :wq Claudio
> 
> Index: logmsg.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/logmsg.c,v
> diff -u -p -r1.17 logmsg.c
> --- logmsg.c	30 Oct 2025 12:43:18 -0000	1.17
> +++ logmsg.c	4 Nov 2025 14:18:45 -0000
> @@ -135,6 +135,8 @@ tohex(const unsigned char *in, size_t le
>  	static char out[(16 + 1) * 3];
>  	size_t i, o = 0;
>  
> +	if (len == 0)
> +		return "";
>  	if (len > 16)
>  		len = 16;
>  	for (i = 0; i < len; i++) {
> @@ -269,9 +271,8 @@ log_notification(const struct peer *peer
>  			size_t len = sizeof(buf);
>  			if (ibuf_size(&ibuf) < len)
>  				len = ibuf_size(&ibuf);
> -			if (ibuf_get(&ibuf, buf, len) == -1) {
> +			if (ibuf_get(&ibuf, buf, len) == -1)
>  				break;
> -			}
>  			logit(LOG_INFO, "   %5zu: %s", off, tohex(buf, len));
>  			off += len;
>  		}
>