From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: bgpd: check aid2afi return value consistently
To: tech@openbsd.org
Date: Tue, 4 Nov 2025 15:40:22 +0100

Consistently check if aid2afi() failed

Check return value against == -1 also use the same error message in
most places.

Add check in mrt_dump_entry_v2(), the call in mrt_dump_entry() is skipped
since the aid is limited to AID_INET and AID_INET6 and so that function is
not supposed to fail.

Fixes CID 492335
-- 
:wq Claudio


Index: mrt.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/mrt.c,v
diff -u -p -r1.128 mrt.c
--- mrt.c	4 Nov 2025 10:47:25 -0000	1.128
+++ mrt.c	4 Nov 2025 14:32:12 -0000
@@ -709,7 +709,12 @@ mrt_dump_entry_v2(struct mrt *mrt, struc
 		 */
 		subtype = MRT_DUMP_V2_RIB_GENERIC;
 		apsubtype = MRT_DUMP_V2_RIB_GENERIC_ADDPATH;
-		aid2afi(re->prefix->aid, &afi, &safi);
+		if (aid2afi(re->prefix->aid, &afi, &safi) == -1) {
+			log_warnx("%s: bad AID", __func__);
+			ibuf_free(pbuf);
+			return (-1);
+		}
+
 
 		/* first add 3-bytes AFI/SAFI */
 		if (ibuf_add_n16(pbuf, afi) == -1)
Index: rde_update.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/rde_update.c,v
diff -u -p -r1.176 rde_update.c
--- rde_update.c	4 Jun 2025 09:12:34 -0000	1.176
+++ rde_update.c	4 Nov 2025 14:34:52 -0000
@@ -904,8 +904,8 @@ up_generate_mp_reach(struct ibuf *buf, s
 	if (ibuf_add_zero(buf, sizeof(len)) == -1)
 		return -1;
 
-	if (aid2afi(aid, &afi, &safi))
-		fatalx("up_generate_mp_reach: bad AID");
+	if (aid2afi(aid, &afi, &safi) == -1)
+		fatalx("%s: bad AID", __func__);
 
 	/* AFI + SAFI + NH LEN + NH + Reserved */
 	if (ibuf_add_n16(buf, afi) == -1)
@@ -1060,7 +1060,7 @@ up_dump_withdraws(struct imsgbuf *imsg, 
 			goto fail;
 
 		/* afi & safi */
-		if (aid2afi(aid, &afi, &safi))
+		if (aid2afi(aid, &afi, &safi) == -1)
 			fatalx("%s: bad AID", __func__);
 		if (ibuf_add_n16(buf, afi) == -1)
 			goto fail;
@@ -1131,7 +1131,7 @@ up_dump_withdraw_one(struct rde_peer *pe
 			return -1;
 
 		/* afi & safi */
-		if (aid2afi(p->pt->aid, &afi, &safi))
+		if (aid2afi(p->pt->aid, &afi, &safi) == -1)
 			fatalx("%s: bad AID", __func__);
 		if (ibuf_add_n16(buf, afi) == -1)
 			return -1;
Index: session_bgp.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/session_bgp.c,v
diff -u -p -r1.5 session_bgp.c
--- session_bgp.c	21 Aug 2025 15:15:25 -0000	1.5
+++ session_bgp.c	4 Nov 2025 14:37:24 -0000
@@ -146,7 +146,7 @@ session_capa_add_afi(struct ibuf *b, uin
 	uint16_t	afi;
 	uint8_t		safi;
 
-	if (aid2afi(aid, &afi, &safi)) {
+	if (aid2afi(aid, &afi, &safi) == -1) {
 		log_warn("%s: bad AID", __func__);
 		return (-1);
 	}
@@ -165,7 +165,7 @@ session_capa_add_ext_nh(struct ibuf *b, 
 	uint16_t	afi;
 	uint8_t		safi;
 
-	if (aid2afi(aid, &afi, &safi)) {
+	if (aid2afi(aid, &afi, &safi) == -1) {
 		log_warn("%s: bad AID", __func__);
 		return (-1);
 	}
@@ -559,7 +559,7 @@ session_rrefresh(struct peer *p, uint8_t
 	}
 
 	if (aid2afi(aid, &afi, &safi) == -1)
-		fatalx("session_rrefresh: bad afi/safi pair");
+		fatalx("%s: bad AID", __func__);
 
 	if ((buf = session_newmsg(BGP_RREFRESH, MSGSIZE_RREFRESH)) == NULL) {
 		bgp_fsm(p, EVNT_CON_FATAL, NULL);