bgpd: Make sure we have enough data to read restart time and flags for GR cap

Just a safety check to avoid out of bound reading. Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
author: Donatas Abraitis <donatas@opensourcerouting.org> 2023-08-30 16:29:11 +0200
committer: Donatas Abraitis <donatas@opensourcerouting.org> 2023-08-30 16:29:11 +0200
commit: 7d5873cdc46b51196f12181dae6069a15fb87d67 (patch)
tree: 6d3a34172662deaf3ec12a576853a9b6e02ed69a /bgpd/bgp_packet.c
parent: tests: Check if GR settings can be changed via BGP dynamic capabilities (diff)
download: frr-7d5873cdc46b51196f12181dae6069a15fb87d67.tar.xz
frr-7d5873cdc46b51196f12181dae6069a15fb87d67.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 97a68626e..f59fd0a61 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2817,8 +2817,15 @@ static void bgp_dynamic_capability_graceful_restart(uint8_t *pnt, int action,
 	uint16_t gr_restart_flag_time;
 	uint8_t *data = pnt + 3;
 	uint8_t *end = pnt + hdr->length;
+	size_t len = end - data;
 
 	if (action == CAPABILITY_ACTION_SET) {
+		if (len < sizeof(gr_restart_flag_time)) {
+			zlog_err("%pBP: Received invalid Graceful-Restart capability length %d",
+				 peer, hdr->length);
+			return;
+		}
+
 		SET_FLAG(peer->cap, PEER_CAP_RESTART_RCV);
 		ptr_get_be16(data, &gr_restart_flag_time);
 		data += sizeof(gr_restart_flag_time);
author	Donatas Abraitis <donatas@opensourcerouting.org>	2023-08-30 16:29:11 +0200
committer	Donatas Abraitis <donatas@opensourcerouting.org>	2023-08-30 16:29:11 +0200
commit	7d5873cdc46b51196f12181dae6069a15fb87d67 (patch)
tree	6d3a34172662deaf3ec12a576853a9b6e02ed69a /bgpd/bgp_packet.c
parent	tests: Check if GR settings can be changed via BGP dynamic capabilities (diff)
download	frr-7d5873cdc46b51196f12181dae6069a15fb87d67.tar.xz frr-7d5873cdc46b51196f12181dae6069a15fb87d67.zip