From 3161b5f000056d41cc4b846f695307c6d6604b78 Mon Sep 17 00:00:00 2001
From: Daniel Czerwonk <daniel@dan-nrw.de>
Date: Sun, 1 Jul 2018 23:41:28 +0200
Subject: [PATCH] out of bounds index fix

---
 protocols/bgp/packet/mp_reach_nlri.go   | 23 +++++++++++++----------
 protocols/bgp/packet/mp_unreach_nlri.go | 23 +++++++++++++----------
 2 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/protocols/bgp/packet/mp_reach_nlri.go b/protocols/bgp/packet/mp_reach_nlri.go
index 497bc7a2..8051463a 100644
--- a/protocols/bgp/packet/mp_reach_nlri.go
+++ b/protocols/bgp/packet/mp_reach_nlri.go
@@ -64,23 +64,26 @@ func deserializeMultiProtocolReachNLRI(b []byte) (MultiProtocolReachNLRI, error)
 		return n, nil
 	}
 
-	idx := uint8(0)
-	for idx < uint8(len(variable)) {
-		l := numberOfBytesForPrefixLength(variable[idx])
-		start := idx + 1
-		end := idx + 1 + l
-		r := uint8(len(variable)) - idx - 1
-		if r < l {
-			return MultiProtocolReachNLRI{}, fmt.Errorf("expected %d bytes for NLRI, only %d remaining", l, r)
+	idx := uint16(0)
+	for idx < uint16(len(variable)) {
+		pfxLen := variable[idx]
+		numBytes := uint16(numberOfBytesForPrefixLength(pfxLen))
+		idx++
+
+		r := uint16(len(variable)) - idx
+		if r < numBytes {
+			return MultiProtocolReachNLRI{}, fmt.Errorf("expected %d bytes for NLRI, only %d remaining", numBytes, r)
 		}
 
-		pfx, err := deserializePrefix(variable[start:end], variable[idx], n.AFI)
+		start := idx
+		end := idx + numBytes
+		pfx, err := deserializePrefix(variable[start:end], pfxLen, n.AFI)
 		if err != nil {
 			return MultiProtocolReachNLRI{}, err
 		}
 		n.Prefixes = append(n.Prefixes, pfx)
 
-		idx = idx + l + 1
+		idx = idx + numBytes
 	}
 
 	return n, nil
diff --git a/protocols/bgp/packet/mp_unreach_nlri.go b/protocols/bgp/packet/mp_unreach_nlri.go
index 7b42c4ce..b7835cd1 100644
--- a/protocols/bgp/packet/mp_unreach_nlri.go
+++ b/protocols/bgp/packet/mp_unreach_nlri.go
@@ -46,23 +46,26 @@ func deserializeMultiProtocolUnreachNLRI(b []byte) (MultiProtocolUnreachNLRI, er
 		return n, nil
 	}
 
-	idx := uint8(0)
-	for idx < uint8(len(prefix)) {
-		l := numberOfBytesForPrefixLength(prefix[idx])
-		start := idx + 1
-		end := idx + 1 + l
-		r := uint8(len(prefix)) - idx - 1
-		if r < l {
-			return MultiProtocolUnreachNLRI{}, fmt.Errorf("expected %d bytes for NLRI, only %d remaining", l, r)
+	idx := uint16(0)
+	for idx < uint16(len(prefix)) {
+		pfxLen := prefix[idx]
+		numBytes := uint16(numberOfBytesForPrefixLength(pfxLen))
+		idx++
+
+		r := uint16(len(prefix)) - idx
+		if r < numBytes {
+			return MultiProtocolUnreachNLRI{}, fmt.Errorf("expected %d bytes for NLRI, only %d remaining", numBytes, r)
 		}
 
-		pfx, err := deserializePrefix(prefix[start:end], prefix[idx], n.AFI)
+		start := idx
+		end := idx + numBytes
+		pfx, err := deserializePrefix(prefix[start:end], pfxLen, n.AFI)
 		if err != nil {
 			return MultiProtocolUnreachNLRI{}, err
 		}
 		n.Prefixes = append(n.Prefixes, pfx)
 
-		idx = idx + l + 1
+		idx = idx + numBytes
 	}
 
 	return n, nil
-- 
GitLab