bgpd: handle fs nlri over 240 bytes

the nlri flowspec above 240 bytes size was not handled.
Over 240 bytes, the length is 2 bytes length, and a calculation must be
done to obtain the real length. This commit handles it appropriately.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

2 files changed, 7 insertions, 2 deletions

diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
index 9554638735..17c41636de 100644
--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
@@ -108,7 +108,7 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
 		return BGP_NLRI_PARSE_ERROR_FLOWSPEC_IPV6_NOT_SUPPORTED;
 	}
 
-	if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT) {
+	if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
 		flog_err(EC_BGP_FLOWSPEC_PACKET,
 			 "BGP flowspec nlri length maximum reached (%u)",
 			 packet->length);
@@ -124,7 +124,11 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
 			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 
 		psize = *pnt++;
-
+		if (psize >= FLOWSPEC_NLRI_SIZELIMIT) {
+			psize &= 0x0f;
+			psize = psize << 8;
+			psize |= *pnt++;
+		}
 		/* When packet overflow occur return immediately. */
 		if (pnt + psize > lim) {
 			flog_err(
diff --git a/bgpd/bgp_flowspec_private.h b/bgpd/bgp_flowspec_private.h
index dede4e03d3..cec244c165 100644
--- a/bgpd/bgp_flowspec_private.h
+++ b/bgpd/bgp_flowspec_private.h
@@ -20,6 +20,7 @@
 #define _FRR_BGP_FLOWSPEC_PRIVATE_H
 
 #define FLOWSPEC_NLRI_SIZELIMIT			240
+#define FLOWSPEC_NLRI_SIZELIMIT_EXTENDED		4095
 
 /* Flowspec raffic action bit*/
 #define FLOWSPEC_TRAFFIC_ACTION_TERMINAL	1