bgpd: Add a safety guard against uint64 max value if TLV length is 0

ton31337 · ton31337 · commit fdddac176a27 · 2025-10-23T09:25:42.000+03:00
When the TLV length is less than 8 (which should never happen, because TLV
MUST not be propagated if no Next-next hops exist, but hack3rs don't care), we
have count 0, and then subtracting results with the very huge unsigned number.

Prevent this from happening.

Signed-off-by: Donatas Abraitis &lt;donatas@opensourcerouting.org&gt;
diff --git a/bgpd/bgp_nhc.c b/bgpd/bgp_nhc.c
@@ -87,14 +87,17 @@ uint64_t bgp_nhc_nnhn_count(struct bgp_nhc *nhc)
 
 	for (tlv = nhc->tlvs; tlv; tlv = tlv->next) {
 		if (tlv->code == BGP_ATTR_NHC_TLV_NNHN) {
-			/* BGP Identifier is always 4-bytes (yet...).
-			 * -1 is to exclude the next-hop BGP ID.
+			/* BGP Identifier is always 4-bytes (yet...) */
+			count = tlv->length / IPV4_MAX_BYTELEN;
+			if (count <= 1)
+				return 0;
+
+			/* -1 is to exclude the next-hop BGP ID.
 			 * We care only about Next-next hops here.
 			 */
-			count = (tlv->length / IPV4_MAX_BYTELEN) - 1;
-			break;
+			return count - 1;
 		}
 	}
 
-	return count;
+	return 0;
 }
