Fix (non-exploitable) buffer-overflow in packet parser.

The check for a TLV going beyond the end of the packet was off by two.
A malformed packet could possibly cause babeld to read two octets beyond
the end of the read buffer.

While technically a buffer overflow, this is most probably not
exploitable, since it is a read-only overflow.  At worst, it would
cause two octets of garbage to be parsed and treated as valid data.

message.c

@@ -154,7 +154,7 @@ parse_update_subtlv(struct interface *ifp, int metric,
             return -1;
         }
         len = a[i + 1];
-        if(i + len > alen) {
+        if(i + len + 2 > alen) {
             fprintf(stderr, "Received truncated sub-TLV on Update.\n");
             return -1;
         }
@@ -196,7 +196,7 @@ parse_hello_subtlv(const unsigned char *a, int alen,
             return -1;
         }
         len = a[i + 1];
-        if(i + len > alen) {
+        if(i + len + 2 > alen) {
             fprintf(stderr, "Received truncated sub-TLV on Hello.\n");
             return -1;
         }
@@ -250,7 +250,7 @@ parse_ihu_subtlv(const unsigned char *a, int alen,
             return -1;
         }
         len = a[i + 1];
-        if(i + len > alen) {
+        if(i + len + 2 > alen) {
             fprintf(stderr, "Received truncated sub-TLV on IHU.\n");
             return -1;
         }
@@ -303,7 +303,7 @@ parse_other_subtlv(const unsigned char *a, int alen)
             return -1;
         }
         len = a[i + 1];
-        if(i + len > alen) {
+        if(i + len + 2 > alen) {
             fprintf(stderr, "Received truncated sub-TLV.\n");
             return -1;
         }
@@ -395,7 +395,7 @@ parse_packet(const unsigned char *from, struct interface *ifp,
             break;
         }
         len = message[1];
-        if(i + len > bodylen) {
+        if(i + len + 2 > bodylen) {
             fprintf(stderr, "Received truncated message.\n");
             break;
         }