bgpd: Check if we have real stream data for tunnel encapsulation sub-…

…tlvs When the packet is malformed it can use whatever values it wants. Let's check what the real data we have in a stream instead of relying on malformed values. Reported-by: Iggy Frankovic <[email protected]> Signed-off-by: Donatas Abraitis <[email protected]> (cherry picked from commit 9929486)
opensourcerouting · Jun 25, 2024 · 1352ab7 · 1352ab7
1 parent 55833d1
commit 1352ab7
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
@@ -2695,7 +2695,7 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
 		}
 	}
 
-	while (length >= 4) {
+	while (STREAM_READABLE(BGP_INPUT(peer)) >= 4) {
 		uint16_t subtype = 0;
 		uint16_t sublength = 0;
 		struct bgp_attr_encap_subtlv *tlv;