Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 80152 - Bug in print-bgp.c
Summary: Bug in print-bgp.c
Status: CLOSED DUPLICATE of bug 82995
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: tcpdump
Version: 7.2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2002-12-20 19:47 UTC by Eric Moret
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-02-21 18:50:29 UTC

Attachments (Terms of Use)

Description Eric Moret 2002-12-20 19:47:19 UTC
Quoting the above URL:

[tcpdump-workers] bug in print-bgp.c

    * To: TCPDUMP Workers <>, TCPDUMP Patches
    * Subject: [tcpdump-workers] bug in print-bgp.c
    * From: Kaarthik Sivakumar <>
    * Date: 16 Oct 2001 20:38:12 -0400
    * Sender:
    * User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Capitol Reef)

Hi folks

There is a bug in bgp open message options parsing in print-bgp.c. The
problem is in the line listed below.

554:    for (i = 0; i < bgpo.bgpo_optlen; i++) {
                TCHECK2(opt[i], BGP_OPT_SIZE);
                memcpy(&bgpopt, &opt[i], BGP_OPT_SIZE);
                if (i + 2 + bgpopt.bgpopt_len > bgpo.bgpo_optlen) {
			printf(" [|opt %d %d]", bgpopt.bgpopt_len, bgpopt.bgpopt_type);

		printf(" (option %s, len=%d)", bgp_opttype(bgpopt.bgpopt_type),
		i += BGP_OPT_SIZE + bgpopt.bgpopt_len;

The for loop should be 

        for (i = 0; i < bgpo.bgpo_optlen; /* Nothing */ ) {

since i is getting incremented within the for loop. This results in
the i going one value too far into the options list and so memcpy of
bgpopt results in incorrect value. A patch is attached that corrects
it. I am not sure what the correct patch format is. I am sending a
'diff -ur'.

The patch also contains the identification of the Capabilities
optional parameter (parameter type 2) in 'char *bgpopt_type[]'.

I had sent a patch earlier today to on
print-mpls.c but I am not sure if I should send it to tcpdump-workers
also. Could someone let me know about that? Thanks.


--- print-bgp.c.orig	Tue Oct 16 20:26:54 2001
+++ print-bgp.c	Tue Oct 16 20:24:22 2001
@@ -131,7 +131,7 @@
 #define bgp_type(x) num_or_str(bgptype, sizeof(bgptype)/sizeof(bgptype[0]), (x))
 static const char *bgpopt_type[] = {
-	NULL, "Authentication Information",
+  NULL, "Authentication Information", "Capabilities Advertisement",
 #define bgp_opttype(x) \
 	num_or_str(bgpopt_type, sizeof(bgpopt_type)/sizeof(bgpopt_type[0]), (x))
@@ -551,7 +551,7 @@
 	opt = &((const struct bgp_open *)dat)->bgpo_optlen;
-	for (i = 0; i < bgpo.bgpo_optlen; i++) {
+	for (i = 0; i < bgpo.bgpo_optlen; /* Nothing */ ) {
 		TCHECK2(opt[i], BGP_OPT_SIZE);
 		memcpy(&bgpopt, &opt[i], BGP_OPT_SIZE);
 		if (i + 2 + bgpopt.bgpopt_len > bgpo.bgpo_optlen) {

Comment 1 Harald Hoyer 2003-02-12 14:01:55 UTC

*** This bug has been marked as a duplicate of 82995 ***

Comment 2 Red Hat Bugzilla 2006-02-21 18:50:29 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.