From 0f05e56bedb5ae3cdf57c8fc71eb38cd2aeef17c Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Sun, 17 Dec 2023 15:13:57 +0200
Subject: [PATCH] bgpd: Validate Addpath capability flags per AF

Send/Receive:
         This field indicates whether the sender is (a) able to receive
         multiple paths from its peer (value 1), (b) able to send
         multiple paths to its peer (value 2), or (c) both (value 3) for
         the <AFI, SAFI>.

         If any other value is received, then the capability SHOULD be
         treated as not understood and ignored [RFC5492].

Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
 bgpd/bgp_open.c   | 11 +++++++++++
 bgpd/bgp_packet.c | 16 ++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
index 44cf8343c6be..0aa9838a7a90 100644
--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
@@ -680,6 +680,17 @@ static int bgp_capability_addpath(struct peer *peer,
 		iana_safi_t pkt_safi = stream_getc(s);
 		uint8_t send_receive = stream_getc(s);
 
+		/* If any other value (other than 1-3) is received, then
+		 * the capability SHOULD be treated as not understood
+		 * and ignored.
+		 */
+		if (!send_receive || send_receive > 3) {
+			flog_warn(EC_BGP_CAPABILITY_INVALID_DATA,
+				  "Add Path: Received invalid send/receive value %u in Add Path capability",
+				  send_receive);
+			continue;
+		}
+
 		if (bgp_debug_neighbor_events(peer))
 			zlog_debug("%s OPEN has %s capability for afi/safi: %s/%s%s%s",
 				   peer->host,
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index 601dac7970c6..571f1df25dd2 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -3097,6 +3097,17 @@ static void bgp_dynamic_capability_addpath(uint8_t *pnt, int action,
 			pkt_afi = ntohs(bac.afi);
 			pkt_safi = safi_int2iana(bac.safi);
 
+			/* If any other value (other than 1-3) is received,
+			 * then the capability SHOULD be treated as not
+			 * understood and ignored.
+			 */
+			if (!bac.flags || bac.flags > 3) {
+				flog_warn(EC_BGP_CAPABILITY_INVALID_LENGTH,
+					  "Add Path: Received invalid send/receive value %u in Add Path capability",
+					  bac.flags);
+				goto ignore;
+			}
+
 			if (bgp_debug_neighbor_events(peer))
 				zlog_debug("%s OPEN has %s capability for afi/safi: %s/%s%s%s",
 					   peer->host,
@@ -3118,14 +3129,14 @@ static void bgp_dynamic_capability_addpath(uint8_t *pnt, int action,
 						   peer->host,
 						   iana_afi2str(pkt_afi),
 						   iana_safi2str(pkt_safi));
-				continue;
+				goto ignore;
 			} else if (!peer->afc[afi][safi]) {
 				if (bgp_debug_neighbor_events(peer))
 					zlog_debug("%s Addr-family %s/%s(afi/safi) not enabled. Ignore the AddPath capability for this AFI/SAFI",
 						   peer->host,
 						   iana_afi2str(pkt_afi),
 						   iana_safi2str(pkt_safi));
-				continue;
+				goto ignore;
 			}
 
 			if (CHECK_FLAG(bac.flags, BGP_ADDPATH_RX))
@@ -3142,6 +3153,7 @@ static void bgp_dynamic_capability_addpath(uint8_t *pnt, int action,
 				UNSET_FLAG(peer->af_cap[afi][safi],
 					   PEER_CAP_ADDPATH_AF_TX_RCV);
 
+ignore:
 			data += CAPABILITY_CODE_ADDPATH_LEN;
 		}
 	} else {