bgpd: Check if FQDN capability length is in valid ranges

If FQDN capability comes as dynamic capability we should check if the encoding
is proper.

Before this patch we returned an error if the hostname/domainname length check
was > end. But technically, if the length is also == end, this is
a malformed capability, because we use the data incorrectly after we check the
length.

This causes heap overflow (when compiled with address-sanitizer).

Signed-off-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index a32ee788615494c611e8b24d5c01397af831f605..86f85dd86662aecf985a50d70e469a339f852e2b 100644 (file)
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -3433,7 +3433,7 @@ static void bgp_dynamic_capability_fqdn(uint8_t *pnt, int action,
 
        if (action == CAPABILITY_ACTION_SET) {
                /* hostname */
-               if (data + 1 > end) {
+               if (data + 1 >= end) {
                        zlog_err("%pBP: Received invalid FQDN capability (host name length)",
                                 peer);
                        return;
@@ -3463,7 +3463,7 @@ static void bgp_dynamic_capability_fqdn(uint8_t *pnt, int action,
                        peer->hostname = XSTRDUP(MTYPE_BGP_PEER_HOST, str);
                }
 
-               if (data + 1 > end) {
+               if (data + 1 >= end) {
                        zlog_err("%pBP: Received invalid FQDN capability (domain name length)",
                                 peer);
                        return;