bgpd: Check the length of the rcv software version

Make sure we don't exceed the maximum of BGP_MAX_SOFT_VERSION.

The Capability Length SHOULD be no greater than 64.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index e826548e69914d6f04c76aa8b8fd4491156bf60b..9cb88a2d6d4ca38a3ed4a062ffb8e7a14eb3aa15 100644 (file)
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -911,8 +911,18 @@ static int bgp_capability_software_version(struct peer *peer,
                return -1;
        }
 
-       if (len) {
+       if (len > BGP_MAX_SOFT_VERSION) {
+               flog_warn(EC_BGP_CAPABILITY_INVALID_LENGTH,
+                         "%s: Received Software Version, but the length is too big, truncating, from peer %s",
+                         __func__, peer->host);
+               stream_get(str, s, BGP_MAX_SOFT_VERSION);
+               stream_forward_getp(s, len - BGP_MAX_SOFT_VERSION);
+               len = BGP_MAX_SOFT_VERSION;
+       } else if (len) {
                stream_get(str, s, len);
+       }
+
+       if (len) {
                str[len] = '\0';
 
                XFREE(MTYPE_BGP_SOFT_VERSION, peer->soft_version);