BGP: make sure the path attributes don't go past the end of the packet.
authorGuy Harris <gharris@sonic.net>
Mon, 15 Nov 2021 22:33:10 +0000 (14:33 -0800)
committerGuy Harris <gharris@sonic.net>
Mon, 15 Nov 2021 22:33:10 +0000 (14:33 -0800)
This fixes some undefined behavior in which we subtract the remaining
length of the path attributes from the remaining length of the packet,
where the former is greater than the latter and they're both unsigned.

print-bgp.c

index 4404b026d29a484ba361b1d335b9c78306b84e30..0a09d9c246b144712faad832fa548d5fbc2affa7 100644 (file)
@@ -2804,6 +2804,9 @@ bgp_update_print(netdissect_options *ndo,
     }
 
     if (len) {
+        /* Make sure the path attributes don't go past the end of the packet */
+        if (length < len)
+            goto trunc;
         /* do something more useful!*/
         while (len) {
             uint8_t aflags, atype, alenlen;