From 4f000d78206a3ea926e616d6ea2b50f5d8b2e04c Mon Sep 17 00:00:00 2001
From: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Date: Tue, 5 Apr 2016 22:25:51 +0900
Subject: packet: handle malformed option param length in OpenMessage

Fixes a possible crash in  BGPOpen's DecodeFromBytes().

fixes #818

Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
---
 packet/bgp/bgp.go | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'packet/bgp')

diff --git a/packet/bgp/bgp.go b/packet/bgp/bgp.go
index b7ee98cb..2de2af63 100644
--- a/packet/bgp/bgp.go
+++ b/packet/bgp/bgp.go
@@ -666,6 +666,9 @@ func (msg *BGPOpen) DecodeFromBytes(data []byte) error {
 	for rest := msg.OptParamLen; rest > 0; {
 		paramtype := data[0]
 		paramlen := data[1]
+		if rest < paramlen+2 {
+			return fmt.Errorf("Malformed BGP Open message")
+		}
 		rest -= paramlen + 2
 
 		if paramtype == BGP_OPT_CAPABILITY {
-- 
cgit v1.2.3