Check if routed had the same problems that route(1) had.

The answer is not really, but almost.
it sent data that was ok, though it was a hack,
but it was bug-compatible with the kernel on receiving them. This also
had been fixed with a hack.. I hacked it better I think.

2 files changed, 35 insertions, 19 deletions

diff --git a/sbin/routed/if.c b/sbin/routed/if.c
index b68ff52..2b32759 100644
--- a/sbin/routed/if.c
+++ b/sbin/routed/if.c
@@ -36,7 +36,7 @@ static char sccsid[] = "@(#)if.c	8.1 (Berkeley) 6/5/93";
 #elif defined(__NetBSD__)
 static char rcsid[] = "$NetBSD$";
 #endif
-#ident "$Revision: 1.23 $"
+#ident "$Revision: 1.1.1.5 $"
 
 #include "defs.h"
 #include "pathnames.h"
@@ -596,7 +596,12 @@ if_ok(struct interface *ifp,
 }
 
 
-/* disassemble routing message
+#ifdef _HAVE_SA_LEN
+static struct sockaddr sa_zero = { sizeof(struct sockaddr), AF_INET };
+#endif
+/*
+ * disassemble routing message
+ * copied bug for bug from the BSD kernel
  */
 void
 rt_xaddrs(struct rt_addrinfo *info,
@@ -604,10 +609,9 @@ rt_xaddrs(struct rt_addrinfo *info,
 	  struct sockaddr *lim,
 	  int addrs)
 {
+	char  *sa_limit; /* next byte after the sockaddr */
 	int i;
-#ifdef _HAVE_SA_LEN
-	static struct sockaddr sa_zero;
-#endif
+	int len;
 #ifdef sgi
 #define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(__uint64_t) - 1))) \
 		    : sizeof(__uint64_t))
@@ -623,14 +627,30 @@ rt_xaddrs(struct rt_addrinfo *info,
 		if ((addrs & (1 << i)) == 0)
 			continue;
 #ifdef _HAVE_SA_LEN
-		info->rti_info[i] = (sa->sa_len != 0) ? sa : &sa_zero;
-		sa = (struct sockaddr *)((char*)(sa)
-					 + ROUNDUP(sa->sa_len));
+		len = sa->sa_len;
+
+		/* Check the sockaddr doesn't go past the end of the buffer. */
+		/* Cope with buggy (malicious?) sender.*/
+		if (len) {
+			sa_limit = ((char*)sa) + len;
+			if ( sa_limit > (char *)lim ) /* equal is ok */
+				return;
+		} else {
+			/*
+			 * We allow the last broken sockaddr
+			 * to be replaced by a good null one
+			 * because some old versions of routing stuff
+			 * would do this (4.4 route(1) for example).
+			 * This should go away eventually.
+			 */
+			info->rti_info[i] = &sa_zero;
+			return; /* this one had unknown length */
+		}
 #else
-		info->rti_info[i] = sa;
-		sa = (struct sockaddr *)((char*)(sa)
-					 + ROUNDUP(_FAKE_SA_LEN_DST(sa)));
+		len = _FAKE_SA_LEN_DST(sa);
 #endif
+		info->rti_info[i] = sa;
+		sa = (struct sockaddr *)((char*)(sa) + ROUNDUP(len));
 	}
 }
 
diff --git a/sbin/routed/table.c b/sbin/routed/table.c
index a7c2303..e224d41 100644
--- a/sbin/routed/table.c
+++ b/sbin/routed/table.c
@@ -612,8 +612,8 @@ rtm_type_name(u_char type)
 
 
 /* Trim a mask in a sockaddr
- *	Produce a length of 0 for an address of 0.
- *	Otherwise produce the index of the first zero byte.
+ *	Produce the index of the first zero byte.
+ *	i.e. Produce a index of 4 for an mask of 0. (default route)
  */
 void
 #ifdef _HAVE_SIN_LEN
@@ -624,13 +624,11 @@ masktrim(struct sockaddr_in_new *ap)
 {
 	register char *cp;
 
-	if (ap->sin_addr.s_addr == 0) {
-		ap->sin_len = 0;
-		return;
-	}
+	ap->sin_port = 0xffff; /* buffer zone for default route */
 	cp = (char *)(&ap->sin_addr.s_addr+1);
 	while (*--cp == 0)
 		continue;
+	/*ap->sin_port = 0x0;*/ /* may not be needed (who cares?)*/
 	ap->sin_len = cp - (char*)ap + 1;
 }
 
@@ -685,8 +683,6 @@ again:
 		w.w_mask.sin_addr.s_addr = htonl(mask);
 #ifdef _HAVE_SA_LEN
 		masktrim(&w.w_mask);
-		if (w.w_mask.sin_len == 0)
-			w.w_mask.sin_len = sizeof(long);
 		w.w_rtm.rtm_msglen -= (sizeof(w.w_mask) - w.w_mask.sin_len);
 #endif
 	}