bgpd: fix bad bounds check for addpath in nlri

If a peer advertised capability addpath in their OPEN, but sent us an
UPDATE without an ADDPATH, we overflow a heap buffer.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
index ea451f5f8dbdb89edd215ea1cb0d95fe3ffb94ed..494ca4b00b8cfc356304fc07f05890a4ae5b95cc 100644 (file)
--- a/bgpd/bgp_route.c
+++ b/bgpd/bgp_route.c
@@ -4465,7 +4465,7 @@ int bgp_nlri_parse_ip(struct peer *peer, struct attr *attr,
                if (addpath_encoded) {
 
                        /* When packet overflow occurs return immediately. */
-                       if (pnt + BGP_ADDPATH_ID_LEN > lim)
+                       if (pnt + BGP_ADDPATH_ID_LEN >= lim)
                                return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 
                        memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);