(for 4.9.3) CVE-2018-16230/BGP: fix decoding of MP_REACH_NLRI
When bgp_attr_print() tried to decode the variable-length nexthop value
for the NSAP VPN case, it did not check that the declared length is good
to interpret the value as a mapped IPv4 or IPv6 address. Add missing
checks to make this safe.
This fixes a buffer over-read discovered by Include Security working
under the Mozilla SOS program in 2018 by means of code audit.
Bhargava Shastry, SecT/TU Berlin, had independently identified this
vulnerability by means of fuzzing and provided the packet capture file
for the test.
projects / tcpdump / commit
