Skip to content

Commit

Permalink
bgpd: Ensure that bgp open message stream has enough data to read
Browse files Browse the repository at this point in the history
If a operator receives an invalid packet that is of insufficient size
then it is possible for BGP to assert during reading of the packet
instead of gracefully resetting the connection with the peer.

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
  • Loading branch information
donaldsharp committed Nov 2, 2022
1 parent 8d133f9 commit 766eec1
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions bgpd/bgp_packet.c
Original file line number Diff line number Diff line change
Expand Up @@ -1386,8 +1386,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size)
|| CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) {
uint8_t opttype;

if (STREAM_READABLE(peer->curr) < 1) {
flog_err(
EC_BGP_PKT_OPEN,
"%s: stream does not have enough bytes for extended optional parameters",
peer->host);
bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
BGP_NOTIFY_OPEN_MALFORMED_ATTR);
return BGP_Stop;
}

opttype = stream_getc(peer->curr);
if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) {
if (STREAM_READABLE(peer->curr) < 2) {
flog_err(
EC_BGP_PKT_OPEN,
"%s: stream does not have enough bytes to read the extended optional parameters optlen",
peer->host);
bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
BGP_NOTIFY_OPEN_MALFORMED_ATTR);
return BGP_Stop;
}
optlen = stream_getw(peer->curr);
SET_FLAG(peer->sflags,
PEER_STATUS_EXT_OPT_PARAMS_LENGTH);
Expand Down

0 comments on commit 766eec1

Please sign in to comment.