From 42a301d5d49c873031546ce4524ff6a1dd316d0e Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Thu, 13 Jun 2024 08:43:21 +0300 Subject: [PATCH 1/2] bgpd: Adjust the length of tunnel encap sub-tlv by sub-tlv type Fixes: 79563af564ad0fe5b9c8d95bf080d570f87b1859 ("bgpd: Get 1 or 2 octets for Sub-TLV length (Tunnel Encap attr)") Signed-off-by: Donatas Abraitis (cherry picked from commit 34b209f0ae2caca0d1ebcde9d4095375ac31b562) --- bgpd/bgp_attr.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index 7aabc2d82028..159aa68fee04 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -2707,10 +2707,13 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args) if (BGP_ATTR_ENCAP == type) { subtype = stream_getc(BGP_INPUT(peer)); - sublength = (subtype < 128) - ? stream_getc(BGP_INPUT(peer)) - : stream_getw(BGP_INPUT(peer)); - length -= 2; + if (subtype < 128) { + sublength = stream_getc(BGP_INPUT(peer)); + length -= 2; + } else { + sublength = stream_getw(BGP_INPUT(peer)); + length -= 3; + } #ifdef ENABLE_BGP_VNC } else { subtype = stream_getw(BGP_INPUT(peer)); From 5389197b9426133a90c803aaff971b7846a734d1 Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Thu, 13 Jun 2024 09:00:21 +0300 Subject: [PATCH 2/2] bgpd: Check if we have real stream data for tunnel encapsulation sub-tlvs When the packet is malformed it can use whatever values it wants. Let's check what the real data we have in a stream instead of relying on malformed values. Reported-by: Iggy Frankovic Signed-off-by: Donatas Abraitis (cherry picked from commit 9929486d6bdb28469a5b626a17d5bc9991c83ce3) --- bgpd/bgp_attr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index 159aa68fee04..da928a21296a 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -2700,7 +2700,7 @@ static int bgp_attr_encap(struct bgp_attr_parser_args *args) } } - while (length >= 4) { + while (STREAM_READABLE(BGP_INPUT(peer)) >= 4) { uint16_t subtype = 0; uint16_t sublength = 0; struct bgp_attr_encap_subtlv *tlv;