From b6945218d1ea9ecad2d8d9d09c156b709bbc9a31 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Thu, 28 May 2026 12:00:59 +0300
Subject: [PATCH] bgpd: Fix infinite loop in MRT route dump for oversized paths

This is a complete fix for CVE-2016-4049.

Fixes: 246556b ("bgpd: Fix buffer overflow error in bgp_dump_routes_func")

Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit 553f44e8bc1a9ce5e7e1fbcea46a005d242ed895)
---
 bgpd/bgp_dump.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/bgpd/bgp_dump.c b/bgpd/bgp_dump.c
index fd297fc0fc98..899a18d745a1 100644
--- a/bgpd/bgp_dump.c
+++ b/bgpd/bgp_dump.c
@@ -377,6 +377,16 @@ bgp_dump_route_node_record(int afi, struct bgp_dest *dest,
 				       + BGP_DUMP_MSG_HEADER
 				       + BGP_DUMP_HEADER_SIZE) {
 			stream_set_endp(obuf, endp);
+			if (entry_count == 0) {
+				/* A single path's encoding exceeds the
+				 * per-record cap. Skip it so the caller's
+				 * while (path) loop makes forward progress.
+				 */
+				flog_warn(EC_BGP_DUMP,
+					  "%s: skipping oversized path for %pFX from peer %s",
+					  __func__, p, path->peer->host);
+				path = path->next;
+			}
 			break;
 		}
 
@@ -384,6 +394,12 @@ bgp_dump_route_node_record(int afi, struct bgp_dest *dest,
 		endp = cur_endp;
 	}
 
+	/* Skip emitting a zero-entry record: some MRT parsers treat them as
+	 * corrupt.
+	 */
+	if (entry_count == 0)
+		return path;
+
 	/* Overwrite the entry count, now that we know the right number */
 	stream_putw_at(obuf, sizep, entry_count);