Fix oss-fuzz issue 64111 (seladb#1237)

sashashura · web-flow · commit 9fbc712003ba · 2023-11-14T23:18:13.000-08:00
Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64111
diff --git a/Packet++/header/BgpLayer.h b/Packet++/header/BgpLayer.h
@@ -339,6 +339,14 @@ class BgpUpdateMessageLayer : public BgpLayer
 	 */
 	BgpUpdateMessageLayer(uint8_t* data, size_t dataLen, Layer* prevLayer, Packet* packet) : BgpLayer(data, dataLen, prevLayer, packet) {}
 
+	/**
+	* A static method that takes a byte array and detects whether it is a BgpUpdateMessage
+	* @param[in] data A byte array
+	* @param[in] dataSize The byte array size (in bytes)
+	* @return True if the data looks like a valid BgpUpdateMessage layer
+	*/
+	static bool isDataValid(const uint8_t *data, size_t dataSize);
+
 	/**
 	 * A c'tor that creates a new BGP UPDATE message
 	 * @param[in] withdrawnRoutes A vector of withdrawn routes data. If left empty (which is the default value) no withdrawn route information will be written to the message
diff --git a/Packet++/src/BgpLayer.cpp b/Packet++/src/BgpLayer.cpp
@@ -30,21 +30,22 @@ size_t BgpLayer::getHeaderLen() const
 
 BgpLayer* BgpLayer::parseBgpLayer(uint8_t* data, size_t dataLen, Layer* prevLayer, Packet* packet)
 {
-	if (dataLen < sizeof(bgp_common_header))
+	if (data == nullptr || dataLen < sizeof(bgp_common_header))
 		return nullptr;
 
 	bgp_common_header* bgpHeader = (bgp_common_header*)data;
 
 	// illegal header data - length is too small
-	if (be16toh(bgpHeader->length) < static_cast<uint16_t>(sizeof(bgp_common_header)))
+	uint16_t messageLen = be16toh(bgpHeader->length);
+	if (dataLen < messageLen || messageLen < static_cast<uint16_t>(sizeof(bgp_common_header)))
 		return nullptr;
 
 	switch (bgpHeader->messageType)
 	{
 	case 1: // OPEN
 		return new BgpOpenMessageLayer(data, dataLen, prevLayer, packet);
 	case 2: // UPDATE
-		return new BgpUpdateMessageLayer(data, dataLen, prevLayer, packet);
+		return BgpUpdateMessageLayer::isDataValid(data, dataLen) ? new BgpUpdateMessageLayer(data, dataLen, prevLayer, packet) : nullptr;
 	case 3: // NOTIFICATION
 		return new BgpNotificationMessageLayer(data, dataLen, prevLayer, packet);
 	case 4: // KEEPALIVE
@@ -703,6 +704,22 @@ void BgpUpdateMessageLayer::getNetworkLayerReachabilityInfo(std::vector<prefix_a
 	parsePrefixAndIPData(dataPtr, nlriSize, nlri);
 }
 
+bool BgpUpdateMessageLayer::isDataValid(const uint8_t *data, size_t dataSize)
+{
+	if (dataSize < sizeof(bgp_common_header) + 2*sizeof(uint16_t))
+		return false;
+
+	uint16_t withdrLen = be16toh(*(uint16_t*)(data + sizeof(bgp_common_header)));
+	if (dataSize < sizeof(bgp_common_header) + 2*sizeof(uint16_t) + withdrLen)
+		return false;
+
+	uint16_t attrLen = be16toh(*(uint16_t*)(data + sizeof(bgp_common_header) + sizeof(uint16_t) + withdrLen));
+	if (dataSize < sizeof(bgp_common_header) + 2*sizeof(uint16_t) + withdrLen + attrLen)
+		return false;
+
+	return true;
+}
+
 bool BgpUpdateMessageLayer::setNetworkLayerReachabilityInfo(const std::vector<prefix_and_ip>& nlri)
 {
 	uint8_t newNlriData[1500];
