bgpd: Fix possible insufficient stream data

When reading the BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE
it is possible that the length read in the packet is insufficiently
large enough to read a BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE.
Let's ensure that it is.

Fixes: #10860
Signed-off-by: Donald Sharp <sharpd@nvidia.com>

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 2154baf4e9e326baa61a499d17948cc71da934e3..d361e31efe734cfedb0a6033abcd20abbf50b01d 100644 (file)
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2574,6 +2574,16 @@ bgp_attr_srv6_service_data(struct bgp_attr_parser_args *args)
                                          args->total);
        }
 
+       if (length < BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE_LENGTH) {
+               flog_err(
+                       EC_BGP_ATTR_LEN,
+                       "Malformed SRv6 Service Data Sub-Sub-TLV attribute - insufficient data (need %hu, have %u remaining in UPDATE)",
+                       BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE_LENGTH,
+                       length);
+               return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+                                         args->total);
+       }
+
        if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE) {
                loc_block_len = stream_getc(peer->curr);
                loc_node_len = stream_getc(peer->curr);