From e3470dbb2879611e79c06f2442673b031703fe74 Mon Sep 17 00:00:00 2001
From: aled-ua <bugbuster.cc@gmail.com>
Date: Tue, 24 Dec 2024 07:58:33 +0000
Subject: [PATCH] Fix vuln OSV-2023-1201

---
 Packet++/src/BgpLayer.cpp  | 5 +++++
 Packet++/src/Packet.cpp    | 5 +++++
 Packet++/src/RawPacket.cpp | 5 +++++
 3 files changed, 15 insertions(+)

diff --git a/Packet++/src/BgpLayer.cpp b/Packet++/src/BgpLayer.cpp
index 4e1269abcf..5066a53a78 100644
--- a/Packet++/src/BgpLayer.cpp
+++ b/Packet++/src/BgpLayer.cpp
@@ -739,6 +739,11 @@ namespace pcpp
 
 		if (newNlriDataLen > curNlriDataLen)
 		{
+			if (newNlriDataLen < curNlriDataLen)
+			{
+				PCPP_LOG_ERROR("newNlriDataLen cannot be less than curNlriDataLen");
+				return false;
+			}
 			bool res = extendLayer(sizeof(bgp_common_header) + 2 * sizeof(uint16_t) + curWithdrawnRoutesDataLen +
 			                           curPathAttributesDataLen,
 			                       newNlriDataLen - curNlriDataLen);
diff --git a/Packet++/src/Packet.cpp b/Packet++/src/Packet.cpp
index d8104aee99..b275b428a1 100644
--- a/Packet++/src/Packet.cpp
+++ b/Packet++/src/Packet.cpp
@@ -559,6 +559,11 @@ namespace pcpp
 	bool Packet::extendLayer(Layer* layer, int offsetInLayer, size_t numOfBytesToExtend)
 	{
 		if (layer == nullptr)
+		if (numOfBytesToExtend < 0)
+		{
+			PCPP_LOG_ERROR("numOfBytesToExtend cannot be negative");
+			return false;
+		}
 		{
 			PCPP_LOG_ERROR("Layer is nullptr");
 			return false;
diff --git a/Packet++/src/RawPacket.cpp b/Packet++/src/RawPacket.cpp
index a68385bb94..bfb0930186 100644
--- a/Packet++/src/RawPacket.cpp
+++ b/Packet++/src/RawPacket.cpp
@@ -148,6 +148,11 @@ namespace pcpp
 	void RawPacket::insertData(int atIndex, const uint8_t* dataToInsert, size_t dataToInsertLen)
 	{
 		// memmove copies data as if there was an intermediate buffer in between - so it allows for copying processes on
+		if (dataToInsertLen < 0)
+		{
+			PCPP_LOG_ERROR("dataToInsertLen cannot be negative");
+			return;
+		}
 		// overlapping src/dest ptrs if insertData is called with atIndex == m_RawDataLen, then no data is being moved.
 		// The data of the raw packet is still extended by dataToInsertLen
 		memmove((uint8_t*)m_RawData + atIndex + dataToInsertLen, (uint8_t*)m_RawData + atIndex, m_RawDataLen - atIndex);