From: Donald Sharp <sharpd@nvidia.com>
Date: Thu, 21 Jul 2022 12:11:58 +0000 (-0400)
Subject: bgpd: Make sure hdr length is at a minimum of what is expected
X-Git-Tag: frr-8.3.2~14^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=066770ac1c69ee5b484bb82581b22ad0423b004d;p=mirror%2Ffrr.git

bgpd: Make sure hdr length is at a minimum of what is expected

Ensure that if the capability length specified is enough data.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit ff6db1027f8f36df657ff2e5ea167773752537ed)
---

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 7613ccc7df..a5f065a15c 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2621,6 +2621,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
 				"%s CAPABILITY has action: %d, code: %u, length %u",
 				peer->host, action, hdr->code, hdr->length);
 
+		if (hdr->length < sizeof(struct capability_mp_data)) {
+			zlog_info(
+				"%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
+				peer, sizeof(struct capability_mp_data),
+				hdr->length);
+			return BGP_Stop;
+		}
+
 		/* Capability length check. */
 		if ((pnt + hdr->length + 3) > end) {
 			zlog_info("%s Capability length error", peer->host);