bgpd: Check if we have real stream data for tunnel encapsulation sub-tlvs

When the packet is malformed it can use whatever values it wants. Let's check
what the real data we have in a stream instead of relying on malformed values.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit 9929486d6bdb28469a5b626a17d5bc9991c83ce3)

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 76b698d759f32ec0243254a55217eae7a860fca1..006047bf87f3de32488b8188b286af26b6a1354c 100644 (file)
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2695,7 +2695,7 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
                }
        }
 
-       while (length >= 4) {
+       while (STREAM_READABLE(BGP_INPUT(peer)) >= 4) {
                uint16_t subtype = 0;
                uint16_t sublength = 0;
                struct bgp_attr_encap_subtlv *tlv;