From e26631ceb4b85f16d844b494596f27319e233407 Mon Sep 17 00:00:00 2001
From: FUJITA Tomonori <fujita.tomonori@gmail.com>
Date: Tue, 31 Oct 2023 21:43:01 +0900
Subject: [PATCH] packet: fix FQDN capability parser

Fixes #2708
---
 pkg/packet/bgp/bgp.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/pkg/packet/bgp/bgp.go b/pkg/packet/bgp/bgp.go
index 099e5903b..94ad50d00 100644
--- a/pkg/packet/bgp/bgp.go
+++ b/pkg/packet/bgp/bgp.go
@@ -1013,10 +1013,26 @@ func (c *CapFQDN) DecodeFromBytes(data []byte) error {
 	if len(data) < 2 {
 		return NewMessageError(BGP_ERROR_OPEN_MESSAGE_ERROR, BGP_ERROR_SUB_UNSUPPORTED_CAPABILITY, nil, "Not all CapabilityFQDN bytes allowed")
 	}
+	rest := len(data)
+	if rest < 1 {
+		return NewMessageError(BGP_ERROR_OPEN_MESSAGE_ERROR, BGP_ERROR_SUB_UNSUPPORTED_CAPABILITY, nil, "Not all CapabilityFQDN bytes allowed")
+	}
 	hostNameLen := uint8(data[0])
+	rest -= 1
 	c.HostNameLen = hostNameLen
+	if rest < int(hostNameLen) {
+		return NewMessageError(BGP_ERROR_OPEN_MESSAGE_ERROR, BGP_ERROR_SUB_UNSUPPORTED_CAPABILITY, nil, "Not all CapabilityFQDN bytes allowed")
+	}
 	c.HostName = string(data[1 : c.HostNameLen+1])
+	rest -= int(hostNameLen)
+	if rest < 1 {
+		return NewMessageError(BGP_ERROR_OPEN_MESSAGE_ERROR, BGP_ERROR_SUB_UNSUPPORTED_CAPABILITY, nil, "Not all CapabilityFQDN bytes allowed")
+	}
+	rest -= 1
 	domainNameLen := uint8(data[c.HostNameLen+1])
+	if rest < int(domainNameLen) {
+		return NewMessageError(BGP_ERROR_OPEN_MESSAGE_ERROR, BGP_ERROR_SUB_UNSUPPORTED_CAPABILITY, nil, "Not all CapabilityFQDN bytes allowed")
+	}
 	c.DomainNameLen = domainNameLen
 	c.DomainName = string(data[c.HostNameLen+2:])
 	return nil