On Fri, Mar 17, 2023 at 11:39:20AM +0100, Claudio Jeker wrote:
> Dumb mistake from my side. The rtr_aspa struct is on the stack and only
> covers that data up to the spas. The spas are a variable array and not
> copied over. So access these from the buf.
Ugh. How did I miss that.
> Remove the trap of the 0 sized array in spas since it is now unused.
> Not entierly happy about that but unless we trust the buf to be aligned
> probably the best we can do.
Yes, seems the safe way to go.
ok
>
> --
> :wq Claudio
>
> Index: rtr_proto.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/bgpd/rtr_proto.c,v
> retrieving revision 1.14
> diff -u -p -r1.14 rtr_proto.c
> --- rtr_proto.c 11 Mar 2023 10:04:59 -0000 1.14
> +++ rtr_proto.c 17 Mar 2023 10:37:05 -0000
> @@ -82,7 +82,6 @@ struct rtr_aspa {
> uint8_t afi_flags;
> uint16_t cnt;
> uint32_t cas;
> - uint32_t spas[0];
> };
>
> struct rtr_endofdata {
> @@ -669,7 +668,10 @@ rtr_parse_aspa(struct rtr_session *rs, u
> return -1;
> }
> for (i = 0; i < cnt; i++) {
> - aspa->tas[i] = ntohl(rtr_aspa.spas[i]);
> + uint32_t tas;
> + memcpy(&tas, buf + offset + i * sizeof(tas),
> + sizeof(tas));
> + aspa->tas[i] = ntohl(tas);
> aspa->tas_aid[i] = aid;
> }
> }
>
