From 0d079e01e55c35f466dc4982d9c2964f81a70140 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Fri, 24 May 2024 09:58:30 +0300
Subject: [PATCH] bgpd: Check if FQDN capability length is in valid ranges

If FQDN capability comes as dynamic capability we should check if the encoding
is proper.

Before this patch we returned an error if the hostname/domainname length check
was > end. But technically, if the length is also == end, this is
a malformed capability, because we use the data incorrectly after we check the
length.

This causes heap overflow (when compiled with address-sanitizer).

Signed-off-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
 bgpd/bgp_packet.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index a32ee78861..86f85dd866 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -3433,7 +3433,7 @@ static void bgp_dynamic_capability_fqdn(uint8_t *pnt, int action,
 
 	if (action == CAPABILITY_ACTION_SET) {
 		/* hostname */
-		if (data + 1 > end) {
+		if (data + 1 >= end) {
 			zlog_err("%pBP: Received invalid FQDN capability (host name length)",
 				 peer);
 			return;
@@ -3463,7 +3463,7 @@ static void bgp_dynamic_capability_fqdn(uint8_t *pnt, int action,
 			peer->hostname = XSTRDUP(MTYPE_BGP_PEER_HOST, str);
 		}
 
-		if (data + 1 > end) {
+		if (data + 1 >= end) {
 			zlog_err("%pBP: Received invalid FQDN capability (domain name length)",
 				 peer);
 			return;