49 lines
1.5 KiB
Diff
49 lines
1.5 KiB
Diff
From c27757965a55e181b3f63239249bbd6ce249a082 Mon Sep 17 00:00:00 2001
|
|
From: Jafar Al-Gharaibeh <jafar@atcorp.com>
|
|
Date: Mon, 9 Mar 2026 14:36:22 -0500
|
|
Subject: [PATCH] bgpd: fix off-by-one error in FlowSpec operator array bounds
|
|
check
|
|
|
|
Change loop > BGP_PBR_MATCH_VAL_MAX to loop >= BGP_PBR_MATCH_VAL_MAX
|
|
in bgp_flowspec_op_decode() and bgp_flowspec_bitmask_decode() to
|
|
prevent writing one element past the end of the mval[] array when
|
|
more than 5 chained operators are present in a FlowSpec component.
|
|
|
|
Reported-by: Jiahao Lei
|
|
Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
|
|
---
|
|
bgpd/bgp_flowspec_util.c | 8 ++++++--
|
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/bgpd/bgp_flowspec_util.c b/bgpd/bgp_flowspec_util.c
|
|
index 90e9236..4dd5034 100644
|
|
--- a/bgpd/bgp_flowspec_util.c
|
|
+++ b/bgpd/bgp_flowspec_util.c
|
|
@@ -266,8 +266,10 @@ int bgp_flowspec_op_decode(enum bgp_flowspec_util_nlri_t type,
|
|
|
|
*error = 0;
|
|
do {
|
|
- if (loop > BGP_PBR_MATCH_VAL_MAX)
|
|
+ if (loop >= BGP_PBR_MATCH_VAL_MAX) {
|
|
*error = -2;
|
|
+ return offset;
|
|
+ }
|
|
hex2bin(&nlri_ptr[offset], op);
|
|
offset++;
|
|
len = 2*op[2]+op[3];
|
|
@@ -370,8 +372,10 @@ int bgp_flowspec_bitmask_decode(enum bgp_flowspec_util_nlri_t type,
|
|
|
|
*error = 0;
|
|
do {
|
|
- if (loop > BGP_PBR_MATCH_VAL_MAX)
|
|
+ if (loop >= BGP_PBR_MATCH_VAL_MAX) {
|
|
*error = -2;
|
|
+ return offset;
|
|
+ }
|
|
hex2bin(&nlri_ptr[offset], op);
|
|
/* if first element, AND bit can not be set */
|
|
if (op[1] == 1 && loop == 0)
|
|
--
|
|
2.52.0
|
|
|