From 112133c81b17d21c9a33ceab582d309dc2e237ce Mon Sep 17 00:00:00 2001
From: claudio <claudio@openbsd.org>
Date: Tue, 21 Mar 2023 14:52:36 +0000
Subject: [PATCH] Improve length checks for ATTR_MP_REACH_NLRI. Based on a
 report by cjt (melissa_cjt at 163.com) OK tb@

---
 usr.sbin/bgpd/rde.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/usr.sbin/bgpd/rde.c b/usr.sbin/bgpd/rde.c
index deee26eb73e..d8cb4b9d93d 100644
--- a/usr.sbin/bgpd/rde.c
+++ b/usr.sbin/bgpd/rde.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rde.c,v 1.596 2023/03/13 16:52:42 claudio Exp $ */
+/*	$OpenBSD: rde.c,v 1.597 2023/03/21 14:52:36 claudio Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -2117,7 +2117,7 @@ bad_flags:
 			goto bad_flags;
 		goto optattr;
 	case ATTR_MP_REACH_NLRI:
-		if (attr_len < 4)
+		if (attr_len < 5)
 			goto bad_len;
 		if (!CHECK_FLAGS(flags, ATTR_OPTIONAL, 0))
 			goto bad_flags;
@@ -2310,7 +2310,7 @@ rde_get_mp_nexthop(u_char *data, uint16_t len, uint8_t aid,
 	totlen = 1;
 	len--;
 
-	if (nhlen > len)
+	if (nhlen + 1 > len)
 		return (-1);
 
 	memset(&nexthop, 0, sizeof(nexthop));
-- 
2.20.1