bgpd: Ensure that bgp open message stream has enough data to read

If a operator receives an invalid packet that is of insufficient size
then it is possible for BGP to assert during reading of the packet
instead of gracefully resetting the connection with the peer.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78)

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index a5f065a15c8ba405eb0975be2a3f1c7537295a3e..aaad0e000561ebf6d7223a11d7a0180fc550886f 100644 (file)
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -1327,8 +1327,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size)
            || CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) {
                uint8_t opttype;
 
+               if (STREAM_READABLE(peer->curr) < 1) {
+                       flog_err(
+                               EC_BGP_PKT_OPEN,
+                               "%s: stream does not have enough bytes for extended optional parameters",
+                               peer->host);
+                       bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+                                       BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+                       return BGP_Stop;
+               }
+
                opttype = stream_getc(peer->curr);
                if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) {
+                       if (STREAM_READABLE(peer->curr) < 2) {
+                               flog_err(
+                                       EC_BGP_PKT_OPEN,
+                                       "%s: stream does not have enough bytes to read the extended optional parameters optlen",
+                                       peer->host);
+                               bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+                                               BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+                               return BGP_Stop;
+                       }
                        optlen = stream_getw(peer->curr);
                        SET_FLAG(peer->sflags,
                                 PEER_STATUS_EXT_OPT_PARAMS_LENGTH);