bgpd: More validations for labeled unicast and ENCAP attribute

[ton31337]

No description provided.

[greptile-apps]

Greptile Summary

This PR adds two defensive input-validation fixes in BGP attribute parsing to harden against malformed UPDATE messages.

• bgpd/bgp_attr.c — The ENCAP sub-TLV while loop previously iterated as long as there were ≥ 4 bytes available in the input stream, completely ignoring the attribute's declared length. Adding length > 0 ensures the loop stops once the allocated attribute bytes are consumed and does not accidentally read into subsequent attributes.
• bgpd/bgp_label.c — p.prefixlen = prefixlen - BSIZE(llen) was computed before the prefixlen < 24 validation check. When a peer sends a prefixlen < BSIZE(llen) (i.e., < 24), the subtraction would produce an unsigned integer underflow. The reordering ensures the assignment only happens after the sanity check passes, eliminating the spurious underflow.

Confidence Score: 5/5

• Both changes are correct, targeted defensive fixes with no functional regressions — safe to merge.
• The two changes are minimal, well-scoped, and address real issues: an infinite/over-reading loop in ENCAP parsing and an unsigned underflow in labeled-unicast NLRI parsing. The logic is straightforward and the surrounding validation already in place means there is no risk of introducing new bugs.
• No files require special attention.

Important Files Changed

Filename	Overview
bgpd/bgp_attr.c	Adds length > 0 guard to the ENCAP sub-TLV parsing loop, preventing over-reads beyond the attribute's declared boundary into subsequent attributes.
bgpd/bgp_label.c	Moves p.prefixlen assignment after the prefixlen < 24 validation check, preventing an unsigned integer underflow when a peer sends an invalid short prefix length.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Receive BGP UPDATE] --> B{Parse ENCAP attribute}
    B -->|length < 4| ERR1[Return malformed error]
    B -->|OK| C[Read outer TLV type + length\nlength -= 4]
    C -->|tlv_length != length| ERR2[Return malformed error]
    C -->|OK| D{length > 0 AND\nSTREAM_READABLE >= 4?}
    D -->|No - loop exits| E[Done parsing ENCAP]
    D -->|Yes| F[Read sub-TLV header\nlength -= header bytes]
    F -->|sublength > length| ERR3[Return malformed error]
    F -->|OK| G[Read sub-TLV value\nlength -= sublength]
    G --> D

    H[Receive Labeled Unicast NLRI] --> I[Fetch prefixlen, psize]
    I --> J[bgp_nlri_get_labels\nreturns llen]
    J -->|llen == 0| ERR4[Return label length error]
    J -->|OK| K{prefixlen < 24?}
    K -->|Yes| ERR5[Return label length error]
    K -->|No| L[p.prefixlen = prefixlen - BSIZE llen]
    L --> M{p.prefixlen > max bitlen?}
    M -->|Yes| ERR6[Return prefix length error]
    M -->|No| N[Process prefix normally]

Loading

_{Reviews (1): Last reviewed commit: "bgpd: Check the length also when parsing..." | Re-trigger Greptile}