If you supply all the (valid) entries in an MPLS label dict for the label stack to a call to bier_add_route, then the packing code in PAPI tries to write out more data than the pack buffer will hold.  It appears to have miscalculated the buffer length (perhaps because this is a struct-in-struct use case).  When no dict entries are supplied, the code completes - though the message created may be short, it's unclear.

The fact that behaviour changes between MPLS labels with and without dict entries is also incorrect.  The PAPI should be defaulting values for labels without entries (to, presumably, zero-byte settings) and should still be checking the message length.  VPP probably also ought to be checking the message length on receipt.  Either way, something a bit fishy is going on if this slips through.