pkg/packet/bgp: fix flowspec parser to check the input length

ivg · fujita · commit ca7383f450f7 · 2025-02-07T10:16:20.000+09:00
case EC_SUBTYPE_FLOWSPEC_REDIRECT_IP6:
   ipv6 := net.IP(data[2:18]).String()
   localAdmin := binary.BigEndian.Uint16(data[18:20])
   return NewRedirectIPv6AddressSpecificExtended(ipv6, localAdmin), nil

Note that the `data` length is only checked for being at least 8
bytes, so any message with the given subtype but less than 20 bytes
will crash the application.
diff --git a/pkg/packet/bgp/bgp.go b/pkg/packet/bgp/bgp.go
@@ -12708,6 +12708,10 @@ func parseGenericTransitiveExperimentalExtended(data []byte) (ExtendedCommunityI
 		dscp := data[7]
 		return NewTrafficRemarkExtended(dscp), nil
 	case EC_SUBTYPE_FLOWSPEC_REDIRECT_IP6:
+		if len(data) < 20 {
+			return nil, NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "not all extended community bytes for IPv6 FlowSpec are available")
+		}
+
 		ipv6 := net.IP(data[2:18]).String()
 		localAdmin := binary.BigEndian.Uint16(data[18:20])
 		return NewRedirectIPv6AddressSpecificExtended(ipv6, localAdmin), nil
