bgpd: Fix 2 read beyond end of streams in bgp srv6 packet processing

It's possible to send less data then the length you say you are.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 1f8c7dc098f916437852f2c549c48013020dd1f7..ace7e7975331c28da2e97a608fee4c3a237fa27d 100644 (file)
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2702,6 +2702,18 @@ bgp_attr_srv6_service_data(struct bgp_attr_parser_args *args)
        }
 
        if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE) {
+               if (STREAM_READABLE(peer->curr) <
+                   BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE_LENGTH) {
+                       flog_err(
+                               EC_BGP_ATTR_LEN,
+                               "Malformed SRv6 Service Data Sub-Sub-TLV attribute - insufficient data (need %u, have %zu remaining in UPDATE)",
+                               BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE_LENGTH,
+                               STREAM_READABLE(peer->curr));
+                       return bgp_attr_malformed(
+                               args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+                               args->total);
+               }
+
                loc_block_len = stream_getc(peer->curr);
                loc_node_len = stream_getc(peer->curr);
                func_len = stream_getc(peer->curr);
@@ -2774,6 +2786,17 @@ bgp_attr_srv6_service(struct bgp_attr_parser_args *args)
        }
 
        if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO) {
+               if (STREAM_READABLE(peer->curr) <
+                   BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO_LENGTH) {
+                       flog_err(
+                               EC_BGP_ATTR_LEN,
+                               "Malformed SRv6 Service Sub-TLV attribute - insufficent data (need %d for attribute data, have %zu remaining in UPDATE)",
+                               BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_INFO_LENGTH,
+                               STREAM_READABLE(peer->curr));
+                       return bgp_attr_malformed(
+                               args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+                               args->total);
+               }
                stream_getc(peer->curr);
                stream_get(&ipv6_sid, peer->curr, sizeof(ipv6_sid));
                sid_flags = stream_getc(peer->curr);