Skip to content

Commit

Permalink
Merge pull request #16503 from FRRouting/mergify/bp/stable/10.0/pr-16497
Browse files Browse the repository at this point in the history
bgpd: Check the actual remaining stream length before taking TLV value (backport #16497)
  • Loading branch information
donaldsharp authored Jul 31, 2024
2 parents e77bd73 + 094c357 commit fea4ed5
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions bgpd/bgp_attr.c
Original file line number Diff line number Diff line change
Expand Up @@ -2730,6 +2730,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args)
args->total);
}

if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
sublength, STREAM_READABLE(BGP_INPUT(peer)));
return bgp_attr_malformed(args,
BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
args->total);
}

/* alloc and copy sub-tlv */
/* TBD make sure these are freed when attributes are released */
tlv = XCALLOC(MTYPE_ENCAP_TLV,
Expand Down

0 comments on commit fea4ed5

Please sign in to comment.