eabdullin
3ec6d7f6ae
- bgpd: Fix use beyond end of stream of labeled unicast parsing - bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI - bgpd: Treat EOR as withdrawn to avoid unwanted handling of malformed attrs
35 lines
1.1 KiB
Diff
35 lines
1.1 KiB
Diff
From 0b999c886e241c52bd1f7ef0066700e4b618ebb3 Mon Sep 17 00:00:00 2001
|
|
From: Donald Sharp <sharpd@nvidia.com>
|
|
Date: Thu, 23 Feb 2023 13:29:32 -0500
|
|
Subject: [PATCH] bgpd: Flowspec overflow issue
|
|
|
|
According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>>
|
|
Specifying 0 as a length makes BGP get all warm on the inside. Which
|
|
in this case is not a good thing at all. Prevent warmth, stay cold
|
|
on the inside.
|
|
|
|
Reported-by: Iggy Frankovic <iggyfran@amazon.com>
|
|
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
|
|
---
|
|
bgpd/bgp_flowspec.c | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
|
|
diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
|
|
index 8d5ca5e77779..f9debe43cd45 100644
|
|
--- a/bgpd/bgp_flowspec.c
|
|
+++ b/bgpd/bgp_flowspec.c
|
|
@@ -127,6 +127,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
|
|
psize);
|
|
return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
|
|
}
|
|
+
|
|
+ if (psize == 0) {
|
|
+ flog_err(EC_BGP_FLOWSPEC_PACKET,
|
|
+ "Flowspec NLRI length 0 which makes no sense");
|
|
+ return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
|
|
+ }
|
|
+
|
|
if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
|
|
flog_err(
|
|
EC_BGP_FLOWSPEC_PACKET,
|