Add boundary checks to prevent out-of-bounds access in BgpLayer::getHeaderLen()

danasana · danasana · commit 8dd055c9184c · 2025-10-07T11:32:02.000+03:00
diff --git a/Packet++/src/Layer.cpp b/Packet++/src/Layer.cpp
@@ -78,6 +78,25 @@ namespace pcpp
 			return true;
 		}
 
+		if ((size_t)offsetInLayer > m_DataLen)
+		{
+			PCPP_LOG_ERROR("Requested offset is larger than data length");
+			return false;
+		}
+
+		if (m_Data - m_Packet->m_RawPacket->getRawData() + (ptrdiff_t)offsetInLayer 
+			> (ptrdiff_t)m_Packet->m_RawPacket->getRawDataLen())
+		{
+			PCPP_LOG_ERROR("Requested offset is larger than total packet length");
+			return false;
+		}
+
+		if (m_NextLayer != nullptr && (ptrdiff_t)offsetInLayer > m_NextLayer->m_Data - m_Data)
+		{
+			PCPP_LOG_ERROR("Requested offset exceeds current layer's boundary");
+			return false;
+		}
+
 		return m_Packet->extendLayer(this, offsetInLayer, numOfBytesToExtend);
 	}
 
@@ -107,6 +126,32 @@ namespace pcpp
 			return true;
 		}
 
+		if ((size_t)offsetInLayer >= m_DataLen)
+		{
+			PCPP_LOG_ERROR("Requested offset is larger than data length");
+			return false;
+		}
+
+		if ((size_t)offsetInLayer + numOfBytesToShorten > m_DataLen)
+		{
+			PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than data length");
+			return false;
+		}
+
+		if (m_Data - m_Packet->m_RawPacket->getRawData() + (ptrdiff_t)offsetInLayer + (ptrdiff_t)numOfBytesToShorten
+			> (ptrdiff_t)(m_Packet->m_RawPacket->getRawDataLen()))
+		{
+			PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than total packet length");
+			return false;
+		}
+
+		if (m_NextLayer != nullptr && (ptrdiff_t)offsetInLayer + (ptrdiff_t)numOfBytesToShorten 
+			> m_NextLayer->m_Data - m_Data)
+		{
+			PCPP_LOG_ERROR("Requested number of bytes to shorten exceeds current layer's boundary");
+			return false;
+		}
+
 		return m_Packet->shortenLayer(this, offsetInLayer, numOfBytesToShorten);
 	}
 
diff --git a/Packet++/src/Packet.cpp b/Packet++/src/Packet.cpp
@@ -671,6 +671,8 @@ namespace pcpp
 			// assuming header length of the layer that requested to be extended hasn't been enlarged yet
 			size_t headerLen = curLayer->getHeaderLen() - (curLayer == layer ? numOfBytesToShorten : 0);
 			dataPtr += headerLen;
+			if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen())
+				break;
 			curLayer = curLayer->getNextLayer();
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -671,6 +671,8 @@ namespace pcpp`
`671`	`671`	`// assuming header length of the layer that requested to be extended hasn't been enlarged yet`
`672`	`672`	`size_t headerLen = curLayer->getHeaderLen() - (curLayer == layer ? numOfBytesToShorten : 0);`
`673`	`673`	`dataPtr += headerLen;`
	`674`	`+ if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen())`
	`675`	`+ break;`
`674`	`676`	`curLayer = curLayer->getNextLayer();`
`675`	`677`	`}`
`676`	`678`