Skip to content

Commit

Permalink
bgpd: Flowspec overflow issue
Browse files Browse the repository at this point in the history 
According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>>
Specifying 0 as a length makes BGP get all warm on the inside.  Which
in this case is not a good thing at all.  Prevent warmth, stay cold
on the inside.

Reported-by: Iggy Frankovic <[email protected]>
Signed-off-by: Donald Sharp <[email protected]>
(cherry picked from commit 0b999c8)
  • Loading branch information
@donaldsharp @mergify
donaldsharp authored and mergify[bot] committed Feb 24, 2023
1 parent 0810529 commit 2fa384a
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions bgpd/bgp_flowspec.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
psize);
return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
}

if (psize == 0) {
flog_err(EC_BGP_FLOWSPEC_PACKET,
"Flowspec NLRI length 0 which makes no sense");
return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
}

if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
flog_err(
EC_BGP_FLOWSPEC_PACKET,
Expand Down

0 comments on commit 2fa384a

Please sign in to comment.