diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c index 7c92a8d9e83f..bcd47e32d453 100644 --- a/bgpd/bgp_packet.c +++ b/bgpd/bgp_packet.c @@ -2440,6 +2440,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, "%s CAPABILITY has action: %d, code: %u, length %u", peer->host, action, hdr->code, hdr->length); + if (hdr->length < sizeof(struct capability_mp_data)) { + zlog_info( + "%s Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", + peer->host, sizeof(struct capability_mp_data), + hdr->length); + return BGP_Stop; + } + /* Capability length check. */ if ((pnt + hdr->length + 3) > end) { zlog_info("%s Capability length error", peer->host); diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c index f1aae7caf107..dad271225b3d 100644 --- a/isisd/isis_tlvs.c +++ b/isisd/isis_tlvs.c @@ -2966,9 +2966,9 @@ static int pack_tlv_router_cap(const struct isis_router_cap *router_cap, } static int unpack_tlv_router_cap(enum isis_tlv_context context, - uint8_t tlv_type, uint8_t tlv_len, - struct stream *s, struct sbuf *log, - void *dest, int indent) + uint8_t tlv_type, uint8_t tlv_len, + struct stream *s, struct sbuf *log, void *dest, + int indent) { struct isis_tlvs *tlvs = dest; struct isis_router_cap *rcap; @@ -3013,7 +3013,7 @@ static int unpack_tlv_router_cap(enum isis_tlv_context context, log, indent, "WARNING: Router Capability subTLV length too large compared to expected size\n"); stream_forward_getp(s, STREAM_READABLE(s)); - + XFREE(MTYPE_ISIS_TLV, rcap); return 0; } diff --git a/ospfclient/ospf_apiclient.c b/ospfclient/ospf_apiclient.c index 29f1c0807db4..51c8a5b8c065 100644 --- a/ospfclient/ospf_apiclient.c +++ b/ospfclient/ospf_apiclient.c @@ -447,6 +447,12 @@ int ospf_apiclient_lsa_originate(struct ospf_apiclient *oclient, return OSPF_API_ILLEGALLSATYPE; } + if ((size_t)opaquelen > sizeof(buf) - sizeof(struct lsa_header)) { + fprintf(stderr, "opaquelen(%d) is larger than buf size %zu\n", + opaquelen, sizeof(buf)); + return OSPF_API_NOMEMORY; + } + /* Make a new LSA from parameters */ lsah = (struct lsa_header *)buf; lsah->ls_age = 0;