bgpd: fix bad bounds check for addpath in nlri

If a peer advertised capability addpath in their OPEN, but sent us an UPDATE without an ADDPATH, we overflow a heap buffer. Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
author: Quentin Young <qlyoung@cumulusnetworks.com> 2019-11-24 08:02:54 +0100
committer: Quentin Young <qlyoung@cumulusnetworks.com> 2019-11-24 08:48:11 +0100
commit: 761ed6652411fc127e1eacb82144f158b3042a72 (patch)
tree: 1ed87b398147e0aad93f55b3dbf2dbb9601df15d /bgpd/bgp_route.c
parent: Merge pull request #5413 from donaldsharp/eigrp_cleanup1 (diff)
download: frr-761ed6652411fc127e1eacb82144f158b3042a72.tar.xz
frr-761ed6652411fc127e1eacb82144f158b3042a72.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
index fb2eb10dd..71411df6e 100644
--- a/bgpd/bgp_route.c
+++ b/bgpd/bgp_route.c
@@ -4481,7 +4481,7 @@ int bgp_nlri_parse_ip(struct peer *peer, struct attr *attr,
 		if (addpath_encoded) {
 
 			/* When packet overflow occurs return immediately. */
-			if (pnt + BGP_ADDPATH_ID_LEN > lim)
+			if (pnt + BGP_ADDPATH_ID_LEN >= lim)
 				return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 
 			addpath_id = ntohl(*((uint32_t *)pnt));
author	Quentin Young <qlyoung@cumulusnetworks.com>	2019-11-24 08:02:54 +0100
committer	Quentin Young <qlyoung@cumulusnetworks.com>	2019-11-24 08:48:11 +0100
commit	761ed6652411fc127e1eacb82144f158b3042a72 (patch)
tree	1ed87b398147e0aad93f55b3dbf2dbb9601df15d /bgpd/bgp_route.c
parent	Merge pull request #5413 from donaldsharp/eigrp_cleanup1 (diff)
download	frr-761ed6652411fc127e1eacb82144f158b3042a72.tar.xz frr-761ed6652411fc127e1eacb82144f158b3042a72.zip