From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Thu, 13 Jun 2024 06:00:21 +0000 (+0300)
Subject: bgpd: Check if we have real stream data for tunnel encapsulation sub-tlvs
X-Git-Tag: docker/8.5.6~6^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=1352ab7c431974cedf7aae3e76aa1cf2461df09b;p=matthieu%2Ffrr.git

bgpd: Check if we have real stream data for tunnel encapsulation sub-tlvs

When the packet is malformed it can use whatever values it wants. Let's check
what the real data we have in a stream instead of relying on malformed values.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit 9929486d6bdb28469a5b626a17d5bc9991c83ce3)
---

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 76b698d759..006047bf87 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2695,7 +2695,7 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
 		}
 	}
 
-	while (length >= 4) {
+	while (STREAM_READABLE(BGP_INPUT(peer)) >= 4) {
 		uint16_t subtype = 0;
 		uint16_t sublength = 0;
 		struct bgp_attr_encap_subtlv *tlv;