summaryrefslogtreecommitdiffstats
path: root/bgpd
diff options
context:
space:
mode:
authorPhilippe Guibert <philippe.guibert@6wind.com>2023-04-28 21:56:19 +0200
committerPhilippe Guibert <philippe.guibert@6wind.com>2023-04-28 22:28:16 +0200
commit9ba97a35a6dd1416f68513c5f717118104d01678 (patch)
treed967475b69eaf2353220d78f072a798d9eb65ff8 /bgpd
parentMerge pull request #13386 from donaldsharp/bgp_received_routes (diff)
downloadfrr-9ba97a35a6dd1416f68513c5f717118104d01678.tar.xz
frr-9ba97a35a6dd1416f68513c5f717118104d01678.zip
bgpd: add some flowspec sanity returns
If an error is detected in an NLRI, immediately return an error, when there is a risk of buffer overflow. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Diffstat (limited to 'bgpd')
-rw-r--r--bgpd/bgp_flowspec_util.c17
1 files changed, 13 insertions, 4 deletions
diff --git a/bgpd/bgp_flowspec_util.c b/bgpd/bgp_flowspec_util.c
index 326d7f2ef..66426ab32 100644
--- a/bgpd/bgp_flowspec_util.c
+++ b/bgpd/bgp_flowspec_util.c
@@ -185,16 +185,23 @@ int bgp_flowspec_ip_address(enum bgp_flowspec_util_nlri_t type,
offset++;
}
/* Prefix length check. */
- if (prefix_local.prefixlen > prefix_blen(&prefix_local) * 8)
+ if (prefix_local.prefixlen > prefix_blen(&prefix_local) * 8) {
*error = -1;
+ return offset;
+ }
/* When packet overflow occur return immediately. */
- if (psize + offset > max_len)
+ if (psize + offset > max_len) {
*error = -1;
+ return offset;
+ }
/* Defensive coding, double-check
* the psize fits in a struct prefix
*/
- if (psize > (ssize_t)sizeof(prefix_local.u))
+ if (psize > (ssize_t)sizeof(prefix_local.u)) {
*error = -1;
+ return offset;
+ }
+
memcpy(&prefix_local.u.prefix, &nlri_ptr[offset], psize);
offset += psize;
switch (type) {
@@ -352,8 +359,10 @@ int bgp_flowspec_bitmask_decode(enum bgp_flowspec_util_nlri_t type,
*error = 0;
do {
- if (loop > BGP_PBR_MATCH_VAL_MAX)
+ if (loop > BGP_PBR_MATCH_VAL_MAX) {
*error = -2;
+ return offset;
+ }
hex2bin(&nlri_ptr[offset], op);
/* if first element, AND bit can not be set */
if (op[1] == 1 && loop == 0)