bgpd: fix bad bounds check for addpath in nlri

If a peer advertised capability addpath in their OPEN, but sent us an
UPDATE without an ADDPATH, we overflow a heap buffer.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>

diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
index fb2eb10dd931fef3ff69c3094d8910884232730f..71411df6eaca9b51f902ec182c144b350a4bb84f 100644 (file)
--- a/bgpd/bgp_route.c
+++ b/bgpd/bgp_route.c
@@ -4481,7 +4481,7 @@ int bgp_nlri_parse_ip(struct peer *peer, struct attr *attr,
                if (addpath_encoded) {
 
                        /* When packet overflow occurs return immediately. */
-                       if (pnt + BGP_ADDPATH_ID_LEN > lim)
+                       if (pnt + BGP_ADDPATH_ID_LEN >= lim)
                                return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 
                        addpath_id = ntohl(*((uint32_t *)pnt));