From a90b8cb58a58f2c77b8c76d76fa88cd241b776cd Mon Sep 17 00:00:00 2001
From: Rafael Zalamena <rzalamena@opensourcerouting.org>
Date: Thu, 14 Dec 2017 13:57:03 -0200
Subject: [PATCH 1/2] bgpd: use buffer size instead of hardcoded value

This is a possible buffer overflow.

We should always use the buffer size (whenever possible) to tell
functions what the size of the buffer is, instead of a hardcoded value.

Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
---
 bgpd/rfapi/rfapi_vty.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bgpd/rfapi/rfapi_vty.c b/bgpd/rfapi/rfapi_vty.c
index fb7d8beab32e..37ca5edc96df 100644
--- a/bgpd/rfapi/rfapi_vty.c
+++ b/bgpd/rfapi/rfapi_vty.c
@@ -1529,7 +1529,7 @@ void rfapiPrintRd(struct vty *vty, struct prefix_rd *prd)
 {
 	char buf[RD_ADDRSTRLEN];
 
-	prefix_rd2str(prd, buf, BUFSIZ);
+	prefix_rd2str(prd, buf, sizeof(buf));
 	vty_out(vty, "%s", buf);
 }
 

From 1ad057aed6a16ba85ef5a770f7855d749ed94881 Mon Sep 17 00:00:00 2001
From: Rafael Zalamena <rzalamena@opensourcerouting.org>
Date: Thu, 14 Dec 2017 14:00:58 -0200
Subject: [PATCH 2/2] bgpd: handle argv_find_and_parse_afi return value

Handle the return value of argv_find_and_parse_afi() to avoid passing
along bad values.

Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
---
 bgpd/rfapi/bgp_rfapi_cfg.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/bgpd/rfapi/bgp_rfapi_cfg.c b/bgpd/rfapi/bgp_rfapi_cfg.c
index 3fbba6677434..7f2dbe7f9d6c 100644
--- a/bgpd/rfapi/bgp_rfapi_cfg.c
+++ b/bgpd/rfapi/bgp_rfapi_cfg.c
@@ -1626,7 +1626,11 @@ DEFUN (vnc_nve_group_export_no_prefixlist,
 		return CMD_WARNING_CONFIG_FAILED;
 	}
 
-	argv_find_and_parse_afi(argv, argc, &idx, &afi);
+	if (!argv_find_and_parse_afi(argv, argc, &idx, &afi)) {
+		vty_out(vty, "%% Malformed Address Family\n");
+		return CMD_WARNING_CONFIG_FAILED;
+	}
+
 	if (argv[idx-1]->text[0] == 'z')
 		is_bgp = 0;
 	idx += 2;		/* skip afi and keyword */
@@ -1691,7 +1695,11 @@ DEFUN (vnc_nve_group_export_prefixlist,
 		return CMD_WARNING_CONFIG_FAILED;
 	}
 
-	argv_find_and_parse_afi(argv, argc, &idx, &afi);
+	if (!argv_find_and_parse_afi(argv, argc, &idx, &afi)) {
+		vty_out(vty, "%% Malformed Address Family\n");
+		return CMD_WARNING_CONFIG_FAILED;
+	}
+
 	if (argv[idx-1]->text[0] == 'z')
 		is_bgp = 0;
 	idx = argc - 1;