From c27757965a55e181b3f63239249bbd6ce249a082 Mon Sep 17 00:00:00 2001
From: Jafar Al-Gharaibeh <jafar@atcorp.com>
Date: Mon, 9 Mar 2026 14:36:22 -0500
Subject: [PATCH] bgpd: fix off-by-one error in FlowSpec operator array bounds
 check

Change loop > BGP_PBR_MATCH_VAL_MAX to loop >= BGP_PBR_MATCH_VAL_MAX
in bgp_flowspec_op_decode() and bgp_flowspec_bitmask_decode() to
prevent writing one element past the end of the mval[] array when
more than 5 chained operators are present in a FlowSpec component.

Reported-by: Jiahao Lei
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
---
 bgpd/bgp_flowspec_util.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/bgpd/bgp_flowspec_util.c b/bgpd/bgp_flowspec_util.c
index 90e9236..4dd5034 100644
--- a/bgpd/bgp_flowspec_util.c
+++ b/bgpd/bgp_flowspec_util.c
@@ -266,8 +266,10 @@ int bgp_flowspec_op_decode(enum bgp_flowspec_util_nlri_t type,
 
 	*error = 0;
 	do {
-		if (loop > BGP_PBR_MATCH_VAL_MAX)
+		if (loop >= BGP_PBR_MATCH_VAL_MAX) {
 			*error = -2;
+			return offset;
+		}
 		hex2bin(&nlri_ptr[offset], op);
 		offset++;
 		len = 2*op[2]+op[3];
@@ -370,8 +372,10 @@ int bgp_flowspec_bitmask_decode(enum bgp_flowspec_util_nlri_t type,
 
 	*error = 0;
 	do {
-		if (loop > BGP_PBR_MATCH_VAL_MAX)
+		if (loop >= BGP_PBR_MATCH_VAL_MAX) {
 			*error = -2;
+			return offset;
+		}
 		hex2bin(&nlri_ptr[offset], op);
 		/* if first element, AND bit can not be set */
 		if (op[1] == 1 && loop == 0)
-- 
2.52.0