|
 |
8eca10 |
From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
|
|
|
8eca10 |
From: Donald Sharp <sharpd@nvidia.com>
|
|
|
8eca10 |
Date: Thu, 21 Jul 2022 08:11:58 -0400
|
|
|
8eca10 |
Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
|
|
|
8eca10 |
expected
|
|
|
8eca10 |
|
|
|
8eca10 |
Ensure that if the capability length specified is enough data.
|
|
|
8eca10 |
|
|
|
8eca10 |
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
|
|
8eca10 |
---
|
|
|
8eca10 |
bgpd/bgp_packet.c | 8 ++++++++
|
|
|
8eca10 |
1 file changed, 8 insertions(+)
|
|
|
8eca10 |
|
|
|
8eca10 |
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
|
|
|
8eca10 |
index dbf6c0b2e99..45752a8ab6d 100644
|
|
|
8eca10 |
--- a/bgpd/bgp_packet.c
|
|
|
8eca10 |
+++ b/bgpd/bgp_packet.c
|
|
|
8eca10 |
@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
|
|
|
8eca10 |
"%s CAPABILITY has action: %d, code: %u, length %u",
|
|
|
8eca10 |
peer->host, action, hdr->code, hdr->length);
|
|
|
8eca10 |
|
|
|
8eca10 |
+ if (hdr->length < sizeof(struct capability_mp_data)) {
|
|
|
8eca10 |
+ zlog_info(
|
|
|
8eca10 |
+ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
|
|
|
8eca10 |
+ peer, sizeof(struct capability_mp_data),
|
|
|
8eca10 |
+ hdr->length);
|
|
|
8eca10 |
+ return BGP_Stop;
|
|
|
8eca10 |
+ }
|
|
|
8eca10 |
+
|
|
|
8eca10 |
/* Capability length check. */
|
|
|
8eca10 |
if ((pnt + hdr->length + 3) > end) {
|
|
|
8eca10 |
zlog_info("%s Capability length error", peer->host);
|