Skip to content

Add boundary checks to prevent memory safety issues in BgpLayer::getHeaderLen #1954

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: dev
Choose a base branch
from
Open

Add boundary checks to prevent memory safety issues in BgpLayer::getHeaderLen #1954

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
7a836de
Add boundary checks to prevent out-of-bounds access in BgpLayer::getH…
danasana Sep 10, 2025
8e73f57
Add poc files to regression_samples
danasana Sep 10, 2025
913e63c
Move common validation before branch point to avoid redundancy
danasana Sep 10, 2025
ae1ed33
Change C-style casts to static_cast
danasana Sep 10, 2025
4c839c7
Remove mistakenly added files
danasana Sep 10, 2025
936c316
Add check to ensure offsetInLayer is not negative in Layer::extend/sh…
danasana Sep 10, 2025
f27a0a6
Fix pre-commit hook failures
danasana Sep 11, 2025
075bb45
Merge branch 'dev' into bugfix/bgp-headerlen-memory-safety
Dimi1010 Sep 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions Packet++/src/Layer.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,25 @@ namespace pcpp
return true;
}

if ((size_t)offsetInLayer > m_DataLen)
{
PCPP_LOG_ERROR("Requested offset is larger than data length");
return false;
}

if (m_Data - m_Packet->m_RawPacket->getRawData() + (ptrdiff_t)offsetInLayer
> (ptrdiff_t)m_Packet->m_RawPacket->getRawDataLen())
{
PCPP_LOG_ERROR("Requested offset is larger than total packet length");
return false;
}

if (m_NextLayer != nullptr && (ptrdiff_t)offsetInLayer > m_NextLayer->m_Data - m_Data)
{
PCPP_LOG_ERROR("Requested offset exceeds current layer's boundary");
return false;
}

return m_Packet->extendLayer(this, offsetInLayer, numOfBytesToExtend);
}

Expand Down Expand Up @@ -107,6 +126,32 @@ namespace pcpp
return true;
}

if ((size_t)offsetInLayer >= m_DataLen)
{
PCPP_LOG_ERROR("Requested offset is larger than data length");
return false;
}

if ((size_t)offsetInLayer + numOfBytesToShorten > m_DataLen)
{
PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than data length");
return false;
}

if (m_Data - m_Packet->m_RawPacket->getRawData() + (ptrdiff_t)offsetInLayer + (ptrdiff_t)numOfBytesToShorten
> (ptrdiff_t)(m_Packet->m_RawPacket->getRawDataLen()))
{
PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than total packet length");
return false;
}

if (m_NextLayer != nullptr && (ptrdiff_t)offsetInLayer + (ptrdiff_t)numOfBytesToShorten
> m_NextLayer->m_Data - m_Data)
{
PCPP_LOG_ERROR("Requested number of bytes to shorten exceeds current layer's boundary");
return false;
}

return m_Packet->shortenLayer(this, offsetInLayer, numOfBytesToShorten);
}

Expand Down
4 changes: 4 additions & 0 deletions Packet++/src/Packet.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -619,6 +619,8 @@ namespace pcpp
// assuming header length of the layer that requested to be extended hasn't been enlarged yet
size_t headerLen = curLayer->getHeaderLen() + (curLayer == layer ? numOfBytesToExtend : 0);
dataPtr += headerLen;
if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen())
break;
Comment on lines +613 to +614
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can such a thing happen? curLayer->getHeaderLen() should never exceed the packet data, unless we have a bug in one of the layers

curLayer = curLayer->getNextLayer();
}

Expand Down Expand Up @@ -671,6 +673,8 @@ namespace pcpp
// assuming header length of the layer that requested to be extended hasn't been enlarged yet
size_t headerLen = curLayer->getHeaderLen() - (curLayer == layer ? numOfBytesToShorten : 0);
dataPtr += headerLen;
if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen())
break;
Comment on lines +666 to +667
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

curLayer = curLayer->getNextLayer();
}

Expand Down
Binary file added ...Tests/regression_samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b
View file
Open in desktop
Binary file not shown.
3 changes: 3 additions & 0 deletions ..._samples/047c56c3504ad04232497c903af06c0bc4b5c6f73927ad07cde79cfa28d94f8b:Zone.Identifier
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[ZoneTransfer]
ZoneId=3
ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz
Binary file added ...Tests/regression_samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4
View file
Open in desktop
Binary file not shown.
3 changes: 3 additions & 0 deletions ..._samples/1eb005b8d62599b6561acf7e778f51603ccbc5ddf948c0b081617668bb56cee4:Zone.Identifier
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[ZoneTransfer]
ZoneId=3
ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz
Binary file added ...Tests/regression_samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6
View file
Open in desktop
Binary file not shown.
3 changes: 3 additions & 0 deletions ..._samples/39d92632b6a92f1c682c052febfbc74b0561536687be3b7ce7b9508e8b9726d6:Zone.Identifier
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[ZoneTransfer]
ZoneId=3
ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz
Binary file added ...Tests/regression_samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97
View file
Open in desktop
Binary file not shown.
3 changes: 3 additions & 0 deletions ..._samples/6f6fd63a9a6d8dd1a206eff00c915ed4b643034dad7e9986fd89a43244d6be97:Zone.Identifier
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[ZoneTransfer]
ZoneId=3
ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz
Binary file added ...Tests/regression_samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325
View file
Open in desktop
Binary file not shown.
3 changes: 3 additions & 0 deletions ..._samples/6fda21d7ebaa0391434f17eecf25b1d7c58633f96b6906183c626cbdfc35b325:Zone.Identifier
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[ZoneTransfer]
ZoneId=3
ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz
Binary file added ...Tests/regression_samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c
View file
Open in desktop
Binary file not shown.
3 changes: 3 additions & 0 deletions ..._samples/a7a658b6e51576eafe7990dbc35c5bfff991d914c9ead914e26e3bfc3e88221c:Zone.Identifier
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[ZoneTransfer]
ZoneId=3
ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz
Binary file added ...Tests/regression_samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95
View file
Open in desktop
Binary file not shown.
3 changes: 3 additions & 0 deletions ..._samples/adb739b5829aacedbec6cf3969413997d23b6f2e3350ddf0b1cc3b4d1c335a95:Zone.Identifier
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[ZoneTransfer]
ZoneId=3
ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz
Binary file added ...Tests/regression_samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837
View file
Open in desktop
Binary file not shown.
3 changes: 3 additions & 0 deletions ..._samples/e0c0f8fea6e931d9671384a66f4e1ab02d84e27a5f091e9c7b1fce89d9c18837:Zone.Identifier
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[ZoneTransfer]
ZoneId=3
ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz
Binary file added ...Tests/regression_samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7
View file
Open in desktop
Binary file not shown.
3 changes: 3 additions & 0 deletions ..._samples/ec4b17a4e7b994548f03ae05d8d8924a515a236892959f3300e1c9e8a9c56ba7:Zone.Identifier
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[ZoneTransfer]
ZoneId=3
ReferrerUrl=C:\Users\dashka\Downloads\pocs.tar.gz
Loading