From 73ad93a83f18564bb7bff4659872f7ec1a64b05e Mon Sep 17 00:00:00 2001 From: Donatas Abraitis Date: Sun, 20 Aug 2023 21:37:25 +0300 Subject: [PATCH] bgpd: Check the length of the rcv software version Make sure we don't exceed the maximum of BGP_MAX_SOFT_VERSION. The Capability Length SHOULD be no greater than 64. Reported-by: Iggy Frankovic Signed-off-by: Donatas Abraitis (cherry picked from commit b4d09af9194d20a7f9f16995a062f5d8e3d32840) --- bgpd/bgp_open.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c index 0dd546397..e7e3c2191 100644 --- a/bgpd/bgp_open.c +++ b/bgpd/bgp_open.c @@ -940,8 +940,18 @@ static int bgp_capability_software_version(struct peer *peer, return -1; } - if (len) { + if (len > BGP_MAX_SOFT_VERSION) { + flog_warn(EC_BGP_CAPABILITY_INVALID_LENGTH, + "%s: Received Software Version, but the length is too big, truncating, from peer %s", + __func__, peer->host); + stream_get(str, s, BGP_MAX_SOFT_VERSION); + stream_forward_getp(s, len - BGP_MAX_SOFT_VERSION); + len = BGP_MAX_SOFT_VERSION; + } else if (len) { stream_get(str, s, len); + } + + if (len) { str[len] = '\0'; XFREE(MTYPE_BGP_SOFT_VERSION, peer->soft_version); -- 2.39.2