Merge pull request #16503 from FRRouting/mergify/bp/stable/10.0/pr-16497

bgpd: Check the actual remaining stream length before taking TLV value (backport #16497)
author: Donald Sharp <donaldsharp72@gmail.com> 2024-07-31 12:33:58 -0400
committer: GitHub <noreply@github.com> 2024-07-31 12:33:58 -0400
commit: fea4ed5043b4a523921f970a39a565d2c1ca381f (patch)
tree: 2a3e2a93ef9b14fe4018845b361defbb58027c1f
parent: e77bd737f4b7da147ddd1b3eeb941592adc34530 (diff)
parent: 094c35715a336446eaf225c0d68052c476488846 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index dd098cb157..5966b90ad0 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2730,6 +2730,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
 						  args->total);
 		}
 
+		if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
+			zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
+				 sublength, STREAM_READABLE(BGP_INPUT(peer)));
+			return bgp_attr_malformed(args,
+						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+						  args->total);
+		}
+
 		/* alloc and copy sub-tlv */
 		/* TBD make sure these are freed when attributes are released */
 		tlv = XCALLOC(MTYPE_ENCAP_TLV,
author	Donald Sharp <donaldsharp72@gmail.com>	2024-07-31 12:33:58 -0400
committer	GitHub <noreply@github.com>	2024-07-31 12:33:58 -0400
commit	fea4ed5043b4a523921f970a39a565d2c1ca381f (patch)
tree	2a3e2a93ef9b14fe4018845b361defbb58027c1f
parent	e77bd737f4b7da147ddd1b3eeb941592adc34530 (diff)
parent	094c35715a336446eaf225c0d68052c476488846 (diff)