From 3515178de4a56d66ed948a774efcbe4a854e1ca7 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Sun, 20 Aug 2023 22:15:27 +0300
Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead
 of stream

Reported-by: Iggy Frankovic iggyfran@amazon.com
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit 9b855a692e68e0d16467e190b466b4ecb6853702)
---
 bgpd/bgp_packet.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index a2959ef6e..60f1dcbcd 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2408,7 +2408,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size)
 				 * and 7 bytes of ORF Address-filter entry from
 				 * the stream
 				 */
-				if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
+				if (p_pnt < p_end &&
+				    *p_pnt & ORF_COMMON_PART_REMOVE_ALL) {
 					if (bgp_debug_neighbor_events(peer))
 						zlog_debug(
 							"%pBP rcvd Remove-All pfxlist ORF request",
-- 
2.39.2