From: Theo Buehler <tb@theobuehler.org>
Subject: Re: bgpd: better protect of invalid rtr packets
To: tech@openbsd.org
Date: Thu, 30 Apr 2026 17:53:13 +0200

On Thu, Apr 30, 2026 at 05:42:33PM +0200, Claudio Jeker wrote:
> The length of the RTR PDU should not only be checked against
> RTR_MAX_PDU_SIZE but also checked that the value is >= sizeof(rh) since
> that is the minimal size allowed.
> 
> A short length field would trigger the fatal in rtr_parse_header() since
> the ibuf holding the PDU would be too small to fetch the header.
> 
> While there fix the type of len to size_t. Maybe uint32_t would be better
> since we use ntohl()? I'm undecided on that.

I think size_t is the right type. Also, %zu is a pleasant formatting
specifier...

ok tb

> 
> -- 
> :wq Claudio
> 
> Index: rtr_proto.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/rtr_proto.c,v
> diff -u -p -r1.52 rtr_proto.c
> --- rtr_proto.c	14 Apr 2025 14:50:29 -0000	1.52
> +++ rtr_proto.c	30 Apr 2026 15:36:00 -0000
> @@ -431,12 +431,19 @@ rtr_reader_callback(struct ibuf *hdr, vo
>  	struct rtr_session *rs = arg;
>  	struct rtr_header rh;
>  	struct ibuf *b;
> -	ssize_t len;
> +	size_t len;
>  
>  	if (ibuf_get(hdr, &rh, sizeof(rh)) == -1)
>  		return NULL;
>  
>  	len = ntohl(rh.length);
> +
> +	if (len < sizeof(rh)) {
> +		rtr_send_error(rs, hdr, CORRUPT_DATA, "%s: too small: "
> +		    "%zu bytes", log_rtr_type(rh.type), len);
> +		errno = ERANGE;
> +		return NULL;
> +	}
>  
>  	if (len > RTR_MAX_PDU_SIZE) {
>  		rtr_send_error(rs, hdr, CORRUPT_DATA, "%s: too big: %zu bytes",
>