Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion Packet++/src/BgpLayer.cpp
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add the packet data that caused this issue to our regression tests, the same way it's done in this PR?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, will do!

Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

#include "Logger.h"
#include "BgpLayer.h"
#include "Packet.h"
#include "EndianPortable.h"
#include "GeneralUtils.h"

Expand Down Expand Up @@ -744,9 +745,25 @@ namespace pcpp

if (newNlriDataLen > curNlriDataLen)
{

// offsetInLayer, numOfBytesToExtend
// int indexToInsertData = layer->m_Data + offsetInLayer - m_RawPacket->getRawData();
auto bytesToExtend = newNlriDataLen - curNlriDataLen;

if (m_Data != nullptr && m_Packet != nullptr)
{
auto raw_len = static_cast<size_t>(m_Packet->getRawPacket()->getRawDataLen());
if (raw_len + bytesToExtend < raw_len)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can this be true? 🤔
bytesToExtend is of type size_t, which can't be a negative number

Copy link
Author

@Marti2203 Marti2203 Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As previously discussed, this can overflow when unsigned going back to a lower value.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right! Can you add a comment above this line to remind future us why we did it? 🙂

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure! 😄 It is an annoying edge-case

{
PCPP_LOG_ERROR(
"Failed to extend BGP update layer, the new data length exceeds the raw packet's data length");
return false;
}
}

bool res = extendLayer(sizeof(bgp_common_header) + 2 * sizeof(uint16_t) + curWithdrawnRoutesDataLen +
curPathAttributesDataLen,
newNlriDataLen - curNlriDataLen);
bytesToExtend);
if (!res)
{
PCPP_LOG_ERROR("Couldn't extend BGP update layer to include the additional NLRI data");
Expand Down
7 changes: 7 additions & 0 deletions Packet++/src/RawPacket.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,13 @@ namespace pcpp

void RawPacket::insertData(int atIndex, const uint8_t* dataToInsert, size_t dataToInsertLen)
{
// Check for overflow in the new length
if (static_cast<size_t>(m_RawDataLen) + dataToInsertLen < static_cast<size_t>(m_RawDataLen))
{
throw std::length_error(
"RawPacket::insertData: dataToInsertLen causes overflow in the new length calculation");
}

// memmove copies data as if there was an intermediate buffer in between - so it allows for copying processes on
// overlapping src/dest ptrs if insertData is called with atIndex == m_RawDataLen, then no data is being moved.
// The data of the raw packet is still extended by dataToInsertLen
Expand Down
Loading