bgpd: Flowspec overflow issue

According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>>
Specifying 0 as a length makes BGP get all warm on the inside.  Which
in this case is not a good thing at all.  Prevent warmth, stay cold
on the inside.

Reported-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit 0b999c886e241c52bd1f7ef0066700e4b618ebb3)

diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
index 341cfe9d07e86985bfdcd6be74a1d91d908e7957..6eca1e1bdf67242afc0fb3329d4f6917957b2307 100644 (file)
--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
@@ -141,6 +141,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
                                psize);
                        return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
                }
+
+               if (psize == 0) {
+                       flog_err(EC_BGP_FLOWSPEC_PACKET,
+                                "Flowspec NLRI length 0 which makes no sense");
+                       return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
+               }
+
                if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
                        flog_err(
                                EC_BGP_FLOWSPEC_PACKET,