From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Sun, 20 Aug 2023 18:37:25 +0000 (+0300)
Subject: bgpd: Check the length of the rcv software version
X-Git-Tag: docker/9.0.1~13^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=refs%2Fpull%2F14250%2Fhead;p=mirror%2Ffrr.git

bgpd: Check the length of the rcv software version

Make sure we don't exceed the maximum of BGP_MAX_SOFT_VERSION.

The Capability Length SHOULD be no greater than 64.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit b4d09af9194d20a7f9f16995a062f5d8e3d32840)
---

diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index 0dd5463979..e7e3c2191a 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -940,8 +940,18 @@ static int bgp_capability_software_version(struct peer *peer,
 		return -1;
 	}
 
-	if (len) {
+	if (len > BGP_MAX_SOFT_VERSION) {
+		flog_warn(EC_BGP_CAPABILITY_INVALID_LENGTH,
+			  "%s: Received Software Version, but the length is too big, truncating, from peer %s",
+			  __func__, peer->host);
+		stream_get(str, s, BGP_MAX_SOFT_VERSION);
+		stream_forward_getp(s, len - BGP_MAX_SOFT_VERSION);
+		len = BGP_MAX_SOFT_VERSION;
+	} else if (len) {
 		stream_get(str, s, len);
+	}
+
+	if (len) {
 		str[len] = '\0';
 
 		XFREE(MTYPE_BGP_SOFT_VERSION, peer->soft_version);