bgpd: fix covery 1566055, label table overrun

In case the full label stack is used, there may be
a table overrun happening. Avoid it by increasing the
size of the table.

Fixes: 27f4deed0ac1 ("bgpd: update the mpls entry to handle return traffic")
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

diff --git a/bgpd/bgp_mplsvpn.c b/bgpd/bgp_mplsvpn.c
index 51246b170edb23beae02edc8d5e3b8db679f6966..9d2335a03c26c8768b91f331eede5fb098798dc1 100644 (file)
--- a/bgpd/bgp_mplsvpn.c
+++ b/bgpd/bgp_mplsvpn.c
@@ -4023,14 +4023,21 @@ static void bgp_mplsvpn_nh_label_bind_send_nexthop_label(
                }
                p = &pfx_nh;
                if (nh->nh_label) {
-                       if (nh->nh_label->num_labels >
-                           MPLS_MAX_LABELS - num_labels)
-                               lsp_num_labels = MPLS_MAX_LABELS - num_labels;
-                       else
-                               lsp_num_labels = nh->nh_label->num_labels;
+                       if (nh->nh_label->num_labels + 1 > MPLS_MAX_LABELS) {
+                               /* label stack overflow. no label switching will be performed
+                                */
+                               flog_err(EC_BGP_LABEL,
+                                        "%s [Error] BGP label %u->%u to %pFX, forged label stack too big: %u. Abort LSP installation",
+                                        bmnc->bgp_vpn->name_pretty,
+                                        bmnc->new_label, bmnc->orig_label,
+                                        &bmnc->nexthop,
+                                        nh->nh_label->num_labels + 1);
+                               return;
+                       }
+                       lsp_num_labels = nh->nh_label->num_labels;
                        for (i = 0; i < lsp_num_labels; i++)
                                label[num_labels + i] = nh->nh_label->label[i];
-                       num_labels += lsp_num_labels;
+                       num_labels = lsp_num_labels;
                }
                label[num_labels] = bmnc->orig_label;
                num_labels += 1;