bgpd: Make sure hdr length is at a minimum of what is expected

Ensure that if the capability length specified is enough data.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 7c92a8d9e83ff4c1bf93f1329bd124b6e1d889a5..bcd47e32d453570c2f76409ba790c1c0ccba84a6 100644 (file)
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2440,6 +2440,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
                                "%s CAPABILITY has action: %d, code: %u, length %u",
                                peer->host, action, hdr->code, hdr->length);
 
+               if (hdr->length < sizeof(struct capability_mp_data)) {
+                       zlog_info(
+                               "%s Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
+                               peer->host, sizeof(struct capability_mp_data),
+                               hdr->length);
+                       return BGP_Stop;
+               }
+
                /* Capability length check. */
                if ((pnt + hdr->length + 3) > end) {
                        zlog_info("%s Capability length error", peer->host);