The length of the RTR PDU should not only be checked against
RTR_MAX_PDU_SIZE but also checked that the value is >= sizeof(rh) since
that is the minimal size allowed.

A short length field would trigger the fatal in rtr_parse_header() since
the ibuf holding the PDU would be too small to fetch the header.

While there fix the type of len to size_t. Maybe uint32_t would be better
since we use ntohl()? I'm undecided on that.

-- 
:wq Claudio

Index: rtr_proto.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/rtr_proto.c,v
diff -u -p -r1.52 rtr_proto.c
--- rtr_proto.c	14 Apr 2025 14:50:29 -0000	1.52
+++ rtr_proto.c	30 Apr 2026 15:36:00 -0000
@@ -431,12 +431,19 @@ rtr_reader_callback(struct ibuf *hdr, vo
 	struct rtr_session *rs = arg;
 	struct rtr_header rh;
 	struct ibuf *b;
-	ssize_t len;
+	size_t len;
 
 	if (ibuf_get(hdr, &rh, sizeof(rh)) == -1)
 		return NULL;
 
 	len = ntohl(rh.length);
+
+	if (len < sizeof(rh)) {
+		rtr_send_error(rs, hdr, CORRUPT_DATA, "%s: too small: "
+		    "%zu bytes", log_rtr_type(rh.type), len);
+		errno = ERANGE;
+		return NULL;
+	}
 
 	if (len > RTR_MAX_PDU_SIZE) {
 		rtr_send_error(rs, hdr, CORRUPT_DATA, "%s: too big: %zu bytes",