diff --git a/Packet++/src/BgpLayer.cpp b/Packet++/src/BgpLayer.cpp index 003dfb44a..0312abdd7 100644 --- a/Packet++/src/BgpLayer.cpp +++ b/Packet++/src/BgpLayer.cpp @@ -2,6 +2,7 @@ #include "Logger.h" #include "BgpLayer.h" +#include "Packet.h" #include "EndianPortable.h" #include "GeneralUtils.h" @@ -744,9 +745,25 @@ namespace pcpp if (newNlriDataLen > curNlriDataLen) { + + // offsetInLayer, numOfBytesToExtend + // int indexToInsertData = layer->m_Data + offsetInLayer - m_RawPacket->getRawData(); + auto bytesToExtend = newNlriDataLen - curNlriDataLen; + + if (m_Data != nullptr && m_Packet != nullptr) + { + auto raw_len = static_cast(m_Packet->getRawPacket()->getRawDataLen()); + if (raw_len + bytesToExtend < raw_len) + { + PCPP_LOG_ERROR( + "Failed to extend BGP update layer, the new data length exceeds the raw packet's data length"); + return false; + } + } + bool res = extendLayer(sizeof(bgp_common_header) + 2 * sizeof(uint16_t) + curWithdrawnRoutesDataLen + curPathAttributesDataLen, - newNlriDataLen - curNlriDataLen); + bytesToExtend); if (!res) { PCPP_LOG_ERROR("Couldn't extend BGP update layer to include the additional NLRI data"); diff --git a/Packet++/src/RawPacket.cpp b/Packet++/src/RawPacket.cpp index 08022885c..2eca8a547 100644 --- a/Packet++/src/RawPacket.cpp +++ b/Packet++/src/RawPacket.cpp @@ -114,6 +114,13 @@ namespace pcpp void RawPacket::insertData(int atIndex, const uint8_t* dataToInsert, size_t dataToInsertLen) { + // Check for overflow in the new length + if (static_cast(m_RawDataLen) + dataToInsertLen < static_cast(m_RawDataLen)) + { + throw std::length_error( + "RawPacket::insertData: dataToInsertLen causes overflow in the new length calculation"); + } + // memmove copies data as if there was an intermediate buffer in between - so it allows for copying processes on // overlapping src/dest ptrs if insertData is called with atIndex == m_RawDataLen, then no data is being moved. // The data of the raw packet is still extended by dataToInsertLen