From f067ab5d9fe331151b710d3d6dffbcb5805dd6da Mon Sep 17 00:00:00 2001
From: Mark Stapp <mjs@labn.net>
Date: Mon, 9 Jan 2023 11:57:58 -0500
Subject: [PATCH] bfdd: validate incoming control message length

Apply upper bound on incoming control messages, drop invalid
messages.

Signed-off-by: Mark Stapp <mjs@labn.net>
---
 bfdd/control.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/bfdd/control.c b/bfdd/control.c
index 473843fe25..01cfed8f90 100644
--- a/bfdd/control.c
+++ b/bfdd/control.c
@@ -435,6 +435,15 @@ static void control_read(struct thread *t)
 		return;
 	}
 
+#define FRR_BFD_MAXLEN 10 * 1024
+
+	if (plen > FRR_BFD_MAXLEN) {
+		zlog_debug("%s: client closed, invalid message length: %d",
+			   __func__, bcm.bcm_length);
+		control_free(bcs);
+		return;
+	}
+
 	if (bcm.bcm_ver != BMV_VERSION_1) {
 		zlog_debug("%s: client closed due bad version: %d", __func__,
 			   bcm.bcm_ver);
-- 
2.39.5