Add boundary checks to prevent memory safety issues in BgpLayer::getHeaderLen

Packet++/src/Layer.cpp

@@ -61,14 +61,20 @@ namespace pcpp
 			return false;
 		}
 
-		if (m_Packet == nullptr)
+		if (offsetInLayer < 0)
+		{
+			PCPP_LOG_ERROR("Requested offset is negative");
+			return false;
+		}
+
+		if (static_cast<size_t>(offsetInLayer) > m_DataLen)
 		{
-			if ((size_t)offsetInLayer > m_DataLen)
-			{
-				PCPP_LOG_ERROR("Requested offset is larger than data length");
-				return false;
-			}
+			PCPP_LOG_ERROR("Requested offset is larger than data length");
+			return false;
+		}
 
+		if (m_Packet == nullptr)
+		{
 			uint8_t* newData = new uint8_t[m_DataLen + numOfBytesToExtend];
 			memcpy(newData, m_Data, offsetInLayer);
 			memcpy(newData + offsetInLayer + numOfBytesToExtend, m_Data + offsetInLayer, m_DataLen - offsetInLayer);
@@ -78,6 +84,19 @@ namespace pcpp
 			return true;
 		}
 
+		if (m_Data - m_Packet->m_RawPacket->getRawData() + static_cast<ptrdiff_t>(offsetInLayer) >
+		    static_cast<ptrdiff_t>(m_Packet->m_RawPacket->getRawDataLen()))
+		{
+			PCPP_LOG_ERROR("Requested offset is larger than total packet length");
+			return false;
+		}
+
+		if (m_NextLayer != nullptr && static_cast<ptrdiff_t>(offsetInLayer) > m_NextLayer->m_Data - m_Data)
+		{
+			PCPP_LOG_ERROR("Requested offset exceeds current layer's boundary");
+			return false;
+		}
+
 		return m_Packet->extendLayer(this, offsetInLayer, numOfBytesToExtend);
 	}
 
@@ -89,14 +108,20 @@ namespace pcpp
 			return false;
 		}
 
-		if (m_Packet == nullptr)
+		if (offsetInLayer < 0)
+		{
+			PCPP_LOG_ERROR("Requested offset is negative");
+			return false;
+		}
+
+		if (static_cast<size_t>(offsetInLayer) >= m_DataLen)
 		{
-			if ((size_t)offsetInLayer >= m_DataLen)
-			{
-				PCPP_LOG_ERROR("Requested offset is larger than data length");
-				return false;
-			}
+			PCPP_LOG_ERROR("Requested offset is larger than data length");
+			return false;
+		}
 
+		if (m_Packet == nullptr)
+		{
 			uint8_t* newData = new uint8_t[m_DataLen - numOfBytesToShorten];
 			memcpy(newData, m_Data, offsetInLayer);
 			memcpy(newData + offsetInLayer, m_Data + offsetInLayer + numOfBytesToShorten,
@@ -107,6 +132,28 @@ namespace pcpp
 			return true;
 		}
 
+		if (static_cast<size_t>(offsetInLayer) + numOfBytesToShorten > m_DataLen)
+		{
+			PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than data length");
+			return false;
+		}
+
+		if (m_Data - m_Packet->m_RawPacket->getRawData() + static_cast<ptrdiff_t>(offsetInLayer) +
+		        static_cast<ptrdiff_t>(numOfBytesToShorten) >
+		    static_cast<ptrdiff_t>(m_Packet->m_RawPacket->getRawDataLen()))
+		{
+			PCPP_LOG_ERROR("Requested number of bytes to shorten is larger than total packet length");
+			return false;
+		}
+
+		if (m_NextLayer != nullptr &&
+		    static_cast<ptrdiff_t>(offsetInLayer) + static_cast<ptrdiff_t>(numOfBytesToShorten) >
+		        m_NextLayer->m_Data - m_Data)
+		{
+			PCPP_LOG_ERROR("Requested number of bytes to shorten exceeds current layer's boundary");
+			return false;
+		}
+
 		return m_Packet->shortenLayer(this, offsetInLayer, numOfBytesToShorten);
 	}
 

Packet++/src/Packet.cpp

@@ -609,6 +609,9 @@ namespace pcpp
 			// assuming header length of the layer that requested to be extended hasn't been enlarged yet
 			size_t headerLen = curLayer->getHeaderLen() + (curLayer == layer ? numOfBytesToExtend : 0);
 			dataPtr += headerLen;
+
+			if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen())
+				break;
 		}
 
 		return true;
@@ -660,6 +663,8 @@ namespace pcpp
 			// assuming header length of the layer that requested to be extended hasn't been enlarged yet
 			size_t headerLen = curLayer->getHeaderLen() - (curLayer == layer ? numOfBytesToShorten : 0);
 			dataPtr += headerLen;
+			if (dataPtr > m_RawPacket->getRawData() + m_RawPacket->getRawDataLen())
+				break;
 			curLayer = curLayer->getNextLayer();
 		}