1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
From 73ad93a83f18564bb7bff4659872f7ec1a64b05e Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Sun, 20 Aug 2023 21:37:25 +0300
Subject: [PATCH] bgpd: Check the length of the rcv software version
Make sure we don't exceed the maximum of BGP_MAX_SOFT_VERSION.
The Capability Length SHOULD be no greater than 64.
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit b4d09af9194d20a7f9f16995a062f5d8e3d32840)
---
bgpd/bgp_open.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index 0dd546397..e7e3c2191 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -940,8 +940,18 @@ static int bgp_capability_software_version(struct peer *peer,
return -1;
}
- if (len) {
+ if (len > BGP_MAX_SOFT_VERSION) {
+ flog_warn(EC_BGP_CAPABILITY_INVALID_LENGTH,
+ "%s: Received Software Version, but the length is too big, truncating, from peer %s",
+ __func__, peer->host);
+ stream_get(str, s, BGP_MAX_SOFT_VERSION);
+ stream_forward_getp(s, len - BGP_MAX_SOFT_VERSION);
+ len = BGP_MAX_SOFT_VERSION;
+ } else if (len) {
stream_get(str, s, len);
+ }
+
+ if (len) {
str[len] = '\0';
XFREE(MTYPE_BGP_SOFT_VERSION, peer->soft_version);
--
2.39.2
|