File quagga-12-CVE-2024-44070_bsc1229438.patch of Package quagga.35810

From 8e9da1c09438aab0bb80dbdaaeb067561a3e6b0a Mon Sep 17 00:00:00 2001
From: Marius Tomaschewski <mt@suse.com>
Date: Tue, 17 Sep 2024 11:57:53 +0200
Subject: [PATCH] bgpd: Check the actual remaining stream length before taking
 TLV value
References: CVE-2024-44070,bsc#1229438

Backported from frr:
- commit 237e56054e765d62849ae444e68d16d9eeb19640
  from https://github.com/FRRouting/frr/pull/16506
  ```
  Author: Donatas Abraitis <donatas@opensourcerouting.org>
  Subject:     bgpd: Check the actual remaining stream length before taking TLV value

  [...]
  ```

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index fce4b542..69e72254 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -1907,6 +1907,14 @@ bgp_attr_encap(struct bgp_attr_parser_args *args)
 				args->total);
     }
 
+    if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
+      zlog (peer->log, LOG_ERR,
+	    "Tunnel Encap attribute sub-tlv length %d exceeds remaining stream length %zu",
+	    sublength, STREAM_READABLE(BGP_INPUT(peer)));
+      return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+				args->total);
+    }
+
     /* alloc and copy sub-tlv */
     /* TBD make sure these are freed when attributes are released */
     tlv = XCALLOC (MTYPE_ENCAP_TLV, sizeof(struct bgp_attr_encap_subtlv)-1+sublength);
-- 
2.43.0