From bf11a19e932b553e7dffbbcf257e19e155c67e57 Mon Sep 17 00:00:00 2001 From: Philippe Guibert Date: Tue, 27 Jun 2023 18:21:53 +0200 Subject: [PATCH] bgpd: fix covery 1566055, label table overrun In case the full label stack is used, there may be a table overrun happening. Avoid it by increasing the size of the table. Fixes: 27f4deed0ac1 ("bgpd: update the mpls entry to handle return traffic") Signed-off-by: Philippe Guibert --- bgpd/bgp_mplsvpn.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/bgpd/bgp_mplsvpn.c b/bgpd/bgp_mplsvpn.c index 51246b170e..9d2335a03c 100644 --- a/bgpd/bgp_mplsvpn.c +++ b/bgpd/bgp_mplsvpn.c @@ -4023,14 +4023,21 @@ static void bgp_mplsvpn_nh_label_bind_send_nexthop_label( } p = &pfx_nh; if (nh->nh_label) { - if (nh->nh_label->num_labels > - MPLS_MAX_LABELS - num_labels) - lsp_num_labels = MPLS_MAX_LABELS - num_labels; - else - lsp_num_labels = nh->nh_label->num_labels; + if (nh->nh_label->num_labels + 1 > MPLS_MAX_LABELS) { + /* label stack overflow. no label switching will be performed + */ + flog_err(EC_BGP_LABEL, + "%s [Error] BGP label %u->%u to %pFX, forged label stack too big: %u. Abort LSP installation", + bmnc->bgp_vpn->name_pretty, + bmnc->new_label, bmnc->orig_label, + &bmnc->nexthop, + nh->nh_label->num_labels + 1); + return; + } + lsp_num_labels = nh->nh_label->num_labels; for (i = 0; i < lsp_num_labels; i++) label[num_labels + i] = nh->nh_label->label[i]; - num_labels += lsp_num_labels; + num_labels = lsp_num_labels; } label[num_labels] = bmnc->orig_label; num_labels += 1; -- 2.39.5