From 953fc7b4a1c07c7d5bf93c0c86b404d7e901f8e3 Mon Sep 17 00:00:00 2001
From: xq9mend <xq9mend@users.noreply.github.com>
Date: Fri, 24 Apr 2026 22:05:59 +0000
Subject: [PATCH] bgp: fix stack buffer overflow in EVPN parseNlriData

Add destination-size clamp before memcpy into ip_binary[16] in
three EVPN route-type parsing paths (type-2 MAC-IP, type-3 IMET,
type-4 ES). Wire-supplied ip_len field (1 byte) could produce
addr_bytes up to 31, overflowing the 16-byte stack buffer.

Fix: clamp addr_bytes to sizeof(ip_binary) before memcpy.
Signed-off-by: xq9mend <xq9mend@users.noreply.github.com>
---
 Server/src/bgp/EVPN.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Server/src/bgp/EVPN.cpp b/Server/src/bgp/EVPN.cpp
index 70eb251..d89d255 100644
--- a/Server/src/bgp/EVPN.cpp
+++ b/Server/src/bgp/EVPN.cpp
@@ -366,6 +366,7 @@ namespace bgp_msg {
                         len -= 22;
 
                         addr_bytes = tuple.ip_len > 0 ? (tuple.ip_len / 8) : 0;
+                        if (addr_bytes > (int)sizeof(ip_binary)) addr_bytes = sizeof(ip_binary);
 
                         if (tuple.ip_len > 0 and (addr_bytes + data_read) <= data_len) {
                             // IP Address (0, 4, or 16 bytes)
@@ -434,6 +435,7 @@ namespace bgp_msg {
                         len -= 5;
 
                         addr_bytes = tuple.originating_router_ip_len > 0 ? (tuple.originating_router_ip_len / 8) : 0;
+                        if (addr_bytes > (int)sizeof(ip_binary)) addr_bytes = sizeof(ip_binary);
 
                         if (tuple.originating_router_ip_len > 0 and (addr_bytes + data_read) <= data_len) {
 
@@ -470,12 +472,13 @@ namespace bgp_msg {
                         len -= 11;
 
                         addr_bytes = tuple.originating_router_ip_len > 0 ? (tuple.originating_router_ip_len / 8) : 0;
+                        if (addr_bytes > (int)sizeof(ip_binary)) addr_bytes = sizeof(ip_binary);
 
                         if (tuple.originating_router_ip_len > 0 and (addr_bytes + data_read) <= data_len) {
 
                             // Originating Router's IP Address (4 or 16 bytes)
                             bzero(ip_binary, 16);
-                            memcpy(&ip_binary, data_pointer, (int) tuple.originating_router_ip_len / 8);
+                            memcpy(&ip_binary, data_pointer, addr_bytes);
 
                             inet_ntop(tuple.originating_router_ip_len > 32 ? AF_INET6 : AF_INET,
                                       ip_binary, ip_char, sizeof(ip_char));