From 5c111a25d4ee8cfa2982c5419163e0ab9a198ebf Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Fri, 25 Mar 2022 07:44:55 -0400
Subject: [PATCH] bgpd: Fix possible insufficient stream data

When reading the BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE
it is possible that the length read in the packet is insufficiently
large enough to read a BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE.
Let's ensure that it is.

Fixes: #10860
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
 bgpd/bgp_attr.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index a96b63cac6..499edb4c86 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2572,6 +2572,16 @@ bgp_attr_srv6_service_data(struct bgp_attr_parser_args *args)
 					  args->total);
 	}
 
+	if (length < BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE_LENGTH) {
+		flog_err(
+			EC_BGP_ATTR_LEN,
+			"Malformed SRv6 Service Data Sub-Sub-TLV attribute - insufficient data (need %hu, have %u remaining in UPDATE)",
+			BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE_LENGTH,
+			length);
+		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+					  args->total);
+	}
+
 	if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE_SID_STRUCTURE) {
 		loc_block_len = stream_getc(peer->curr);
 		loc_node_len = stream_getc(peer->curr);