From 0f5834d49960807881ec1c8020349476255f2271 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Sun, 26 May 2024 18:49:22 +0300
Subject: [PATCH] bgpd: Make sure we have enough data to handle extended link
 bandwidth

Extended link bandwidth is encoded inside extended community as a ipv6-address
specific extended community, but with a malformed packet we should do the
sanity check here to have enough data. Especially before doing ptr_get_be64().

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
 bgpd/bgp_ecommunity.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/bgpd/bgp_ecommunity.c b/bgpd/bgp_ecommunity.c
index 88f139cafd..66898d07bc 100644
--- a/bgpd/bgp_ecommunity.c
+++ b/bgpd/bgp_ecommunity.c
@@ -1048,13 +1048,17 @@ static int ecommunity_lb_str(char *buf, size_t bufsz, const uint8_t *pnt,
 	return len;
 }
 
-static int ipv6_ecommunity_lb_str(char *buf, size_t bufsz, const uint8_t *pnt)
+static int ipv6_ecommunity_lb_str(char *buf, size_t bufsz, const uint8_t *pnt,
+				  size_t length)
 {
 	int len = 0;
-	as_t as;
-	uint64_t bw;
+	as_t as = 0;
+	uint64_t bw = 0;
 	char bps_buf[20] = { 0 };
 
+	if (length < IPV6_ECOMMUNITY_SIZE)
+		goto done;
+
 	pnt += 2; /* Reserved */
 	pnt = ptr_get_be64(pnt, &bw);
 	(void)ptr_get_be32(pnt, &as);
@@ -1071,6 +1075,7 @@ static int ipv6_ecommunity_lb_str(char *buf, size_t bufsz, const uint8_t *pnt)
 	else
 		snprintfrr(bps_buf, sizeof(bps_buf), "%" PRIu64 " bps", bw * 8);
 
+done:
 	len = snprintfrr(buf, bufsz, "LB:%u:%" PRIu64 " (%s)", as, bw, bps_buf);
 	return len;
 }
@@ -1192,7 +1197,7 @@ char *ecommunity_ecom2str(struct ecommunity *ecom, int format, int filter)
 					   type == ECOMMUNITY_ENCODE_AS4) {
 					ipv6_ecommunity_lb_str(encbuf,
 							       sizeof(encbuf),
-							       pnt);
+							       pnt, len);
 				} else if (sub_type == ECOMMUNITY_NODE_TARGET &&
 					   type == ECOMMUNITY_ENCODE_IP) {
 					ecommunity_node_target_str(
@@ -1410,7 +1415,7 @@ char *ecommunity_ecom2str(struct ecommunity *ecom, int format, int filter)
 						  ecom->disable_ieee_floating);
 			else if (sub_type == ECOMMUNITY_EXTENDED_LINK_BANDWIDTH)
 				ipv6_ecommunity_lb_str(encbuf, sizeof(encbuf),
-						       pnt);
+						       pnt, len);
 			else
 				unk_ecom = true;
 		} else if (type == ECOMMUNITY_ENCODE_IP_NON_TRANS) {
-- 
2.39.5