From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Fri, 3 Nov 2017 19:25:31 +0000 (-0400)
Subject: bgpd: Prevent infinite loop when reading capabilities
X-Git-Tag: frr-4.0-dev~167^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=d2b6417bd6f91cdc614c3bf983370c030f03642b;p=matthieu%2Ffrr.git

bgpd: Prevent infinite loop when reading capabilities

If the user has configured the ability to override
the capabilities or if the afi/safi passed as part
of the _MP capability is not understood, then we
can enter into an infinite loop as part of the
capability parsing.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index a66d0590c9..79ce550a38 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2011,6 +2011,7 @@ static int bgp_capability_msg_parse(struct peer *peer, u_char *pnt,
 
 		/* Fetch structure to the byte stream. */
 		memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data));
+		pnt += hdr->length + 3;
 
 		/* We know MP Capability Code. */
 		if (hdr->code == CAPABILITY_CODE_MP) {
@@ -2063,7 +2064,6 @@ static int bgp_capability_msg_parse(struct peer *peer, u_char *pnt,
 				"%s unrecognized capability code: %d - ignored",
 				peer->host, hdr->code);
 		}
-		pnt += hdr->length + 3;
 	}
 	return 0;
 }