From 763a5d3c2dc7e9061006d56a9a983c2a8be64765 Mon Sep 17 00:00:00 2001
From: Quentin Young <qlyoung@nvidia.com>
Date: Wed, 2 Sep 2020 16:44:13 -0400
Subject: [PATCH] bgpd: use stream_rewind_getp() to remove overflow

Passing a negative argument to a size_t parameter creates an overflow
condition

Signed-off-by: Quentin Young <qlyoung@nvidia.com>
---
 bgpd/bgp_attr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index cac3ab1ca7..7c4ee44bd5 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -3023,7 +3023,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr,
 			size_t lfl =
 				CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 2 : 1;
 			/* Rewind to end of flag field */
-			stream_forward_getp(BGP_INPUT(peer), -(1 + lfl));
+			stream_rewind_getp(BGP_INPUT(peer), (1 + lfl));
 			/* Type */
 			stream_get(&ndata[0], BGP_INPUT(peer), 1);
 			/* Length */
-- 
2.39.5