The check for a TLV going beyond the end of the packet was off by two.
A malformed packet could possibly cause babeld to read two octets beyond
the end of the read buffer.

While technically a buffer overflow, this is most probably not
exploitable, since it is a read-only overflow.  At worst, it would
cause two octets of garbage to be parsed and treated as valid data.