bgpd: Prevent infinite loop when reading capabilities

If the user has configured the ability to override
the capabilities or if the afi/safi passed as part
of the _MP capability is not understood, then we
can enter into an infinite loop as part of the
capability parsing.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index a66d0590c951a8c02211e2bc477158fdb054192e..79ce550a385beb5c05449292e65ae8230019dbdc 100644 (file)
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2011,6 +2011,7 @@ static int bgp_capability_msg_parse(struct peer *peer, u_char *pnt,
 
                /* Fetch structure to the byte stream. */
                memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data));
+               pnt += hdr->length + 3;
 
                /* We know MP Capability Code. */
                if (hdr->code == CAPABILITY_CODE_MP) {
@@ -2063,7 +2064,6 @@ static int bgp_capability_msg_parse(struct peer *peer, u_char *pnt,
                                "%s unrecognized capability code: %d - ignored",
                                peer->host, hdr->code);
                }
-               pnt += hdr->length + 3;
        }
        return 0;
 }