Merge pull request FRRouting#16505 from FRRouting/mergify/bp/stable/9…

….0/pr-16497 bgpd: Check the actual remaining stream length before taking TLV value (backport FRRouting#16497)
opensourcerouting · Jul 31, 2024 · 5748034 · 5748034
2 parents 5519607 + ab70eee
commit 5748034
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
@@ -2687,6 +2687,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
 						  args->total);
 		}
 
+		if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
+			zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
+				 sublength, STREAM_READABLE(BGP_INPUT(peer)));
+			return bgp_attr_malformed(args,
+						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+						  args->total);
+		}
+
 		/* alloc and copy sub-tlv */
 		/* TBD make sure these are freed when attributes are released */
 		tlv = XCALLOC(MTYPE_ENCAP_TLV,