Some memory backport 8.2

bgpd/bgp_packet.c

@@ -2440,6 +2440,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
 				"%s CAPABILITY has action: %d, code: %u, length %u",
 				peer->host, action, hdr->code, hdr->length);
 
+		if (hdr->length < sizeof(struct capability_mp_data)) {
+			zlog_info(
+				"%s Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
+				peer->host, sizeof(struct capability_mp_data),
+				hdr->length);
+			return BGP_Stop;
+		}
+
 		/* Capability length check. */
 		if ((pnt + hdr->length + 3) > end) {
 			zlog_info("%s Capability length error", peer->host);

isisd/isis_tlvs.c

@@ -2966,9 +2966,9 @@ static int pack_tlv_router_cap(const struct isis_router_cap *router_cap,
 }
 
 static int unpack_tlv_router_cap(enum isis_tlv_context context,
-				       uint8_t tlv_type, uint8_t tlv_len,
-				       struct stream *s, struct sbuf *log,
-				       void *dest, int indent)
+				 uint8_t tlv_type, uint8_t tlv_len,
+				 struct stream *s, struct sbuf *log, void *dest,
+				 int indent)
 {
 	struct isis_tlvs *tlvs = dest;
 	struct isis_router_cap *rcap;
@@ -3013,7 +3013,7 @@ static int unpack_tlv_router_cap(enum isis_tlv_context context,
 				log, indent,
 				"WARNING: Router Capability subTLV length too large compared to expected size\n");
 			stream_forward_getp(s, STREAM_READABLE(s));
-
+			XFREE(MTYPE_ISIS_TLV, rcap);
 			return 0;
 		}
 

ospfclient/ospf_apiclient.c

@@ -447,6 +447,12 @@ int ospf_apiclient_lsa_originate(struct ospf_apiclient *oclient,
 		return OSPF_API_ILLEGALLSATYPE;
 	}
 
+	if ((size_t)opaquelen > sizeof(buf) - sizeof(struct lsa_header)) {
+		fprintf(stderr, "opaquelen(%d) is larger than buf size %zu\n",
+			opaquelen, sizeof(buf));
+		return OSPF_API_NOMEMORY;
+	}
+
 	/* Make a new LSA from parameters */
 	lsah = (struct lsa_header *)buf;
 	lsah->ls_age = 0;