Merge pull request #16504 from FRRouting/mergify/bp/stable/9.1/pr-16497

bgpd: Check the actual remaining stream length before taking TLV value (backport #16497)
author: Donald Sharp <donaldsharp72@gmail.com> 2024-07-31 12:34:37 -0400
committer: GitHub <noreply@github.com> 2024-07-31 12:34:37 -0400
commit: 3f6b0281f0c32c2090951e7723291cc78cf21d5c (patch)
tree: 82e56bc27eb9393a900b15d47e3a2a7e28f70051
parent: cfcc247aa37cc6c2cd2090c995dfda6330ef5685 (diff)
parent: 21cd931a5f9303e12104c72ce31ca383c0c57514 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index da928a2129..a835a6df90 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2730,6 +2730,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
 						  args->total);
 		}
 
+		if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
+			zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
+				 sublength, STREAM_READABLE(BGP_INPUT(peer)));
+			return bgp_attr_malformed(args,
+						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+						  args->total);
+		}
+
 		/* alloc and copy sub-tlv */
 		/* TBD make sure these are freed when attributes are released */
 		tlv = XCALLOC(MTYPE_ENCAP_TLV,
author	Donald Sharp <donaldsharp72@gmail.com>	2024-07-31 12:34:37 -0400
committer	GitHub <noreply@github.com>	2024-07-31 12:34:37 -0400
commit	3f6b0281f0c32c2090951e7723291cc78cf21d5c (patch)
tree	82e56bc27eb9393a900b15d47e3a2a7e28f70051
parent	cfcc247aa37cc6c2cd2090c995dfda6330ef5685 (diff)
parent	21cd931a5f9303e12104c72ce31ca383c0c57514 (diff)