bfdd: validate incoming control message length

Apply upper bound on incoming control messages, drop invalid
messages.

Signed-off-by: Mark Stapp <mjs@labn.net>

diff --git a/bfdd/control.c b/bfdd/control.c
index 473843fe252769515b9a9adcc18fdfe4b52508cf..01cfed8f906ecf39c34012165c8c6877c8aef61f 100644 (file)
--- a/bfdd/control.c
+++ b/bfdd/control.c
@@ -435,6 +435,15 @@ static void control_read(struct thread *t)
                return;
        }
 
+#define FRR_BFD_MAXLEN 10 * 1024
+
+       if (plen > FRR_BFD_MAXLEN) {
+               zlog_debug("%s: client closed, invalid message length: %d",
+                          __func__, bcm.bcm_length);
+               control_free(bcs);
+               return;
+       }
+
        if (bcm.bcm_ver != BMV_VERSION_1) {
                zlog_debug("%s: client closed due bad version: %d", __func__,
                           bcm.bcm_ver);