bgpd: fix bad bounds check for addpath in nlri

If a peer advertised capability addpath in their OPEN, but sent us an UPDATE without an ADDPATH, we overflow a heap buffer. Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
FRRouting · Jan 16, 2020 · 61dad26 · 61dad26
1 parent d8a9566
commit 61dad26
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c
@@ -4465,7 +4465,7 @@ int bgp_nlri_parse_ip(struct peer *peer, struct attr *attr,
 		if (addpath_encoded) {
 
 			/* When packet overflow occurs return immediately. */
-			if (pnt + BGP_ADDPATH_ID_LEN > lim)
+			if (pnt + BGP_ADDPATH_ID_LEN >= lim)
 				return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 
 			memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN);