From: Quentin Young <qlyoung@cumulusnetworks.com>
Date: Sun, 24 Nov 2019 07:02:54 +0000 (-0500)
Subject: bgpd: fix bad bounds check for addpath in nlri
X-Git-Tag: frr-7.2.1~1^2~9
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=61dad26069acba48c7a1a94c7596e52031972f7e;p=matthieu%2Ffrr.git

bgpd: fix bad bounds check for addpath in nlri

If a peer advertised capability addpath in their OPEN, but sent us an
UPDATE without an ADDPATH, we overflow a heap buffer.

Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
---

diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
index ea451f5f8d..494ca4b00b 100644
--- a/bgpd/bgp_route.c
+++ b/bgpd/bgp_route.c
@@ -4465,7 +4465,7 @@ int bgp_nlri_parse_ip(struct peer *peer, struct attr *attr,
 		if (addpath_encoded) {
 
 			/* When packet overflow occurs return immediately. */
-			if (pnt + BGP_ADDPATH_ID_LEN > lim)
+			if (pnt + BGP_ADDPATH_ID_LEN >= lim)
 				return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 
 			memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);