bgpd: Flowspec overflow issue

According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>> Specifying 0 as a length makes BGP get all warm on the inside. Which in this case is not a good thing at all. Prevent warmth, stay cold on the inside. Reported-by: Iggy Frankovic <iggyfran@amazon.com> Signed-off-by: Donald Sharp <sharpd@nvidia.com>
author: Donald Sharp <sharpd@nvidia.com> 2023-02-23 13:29:32 -0500
committer: Donald Sharp <sharpd@nvidia.com> 2023-02-23 13:29:32 -0500
commit: 0b999c886e241c52bd1f7ef0066700e4b618ebb3 (patch)
tree: 0fbf7f24bb4831fae5834fd40ee57ceae4a6e266 /bgpd/bgp_flowspec.c
parent: 4b0d6b4244aff02be34c5b416b25b7259bf66350 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c
index 8d5ca5e777..f9debe43cd 100644
--- a/bgpd/bgp_flowspec.c
+++ b/bgpd/bgp_flowspec.c
@@ -127,6 +127,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
 				psize);
 			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 		}
+
+		if (psize == 0) {
+			flog_err(EC_BGP_FLOWSPEC_PACKET,
+				 "Flowspec NLRI length 0 which makes no sense");
+			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
+		}
+
 		if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
 			flog_err(
 				EC_BGP_FLOWSPEC_PACKET,
author	Donald Sharp <sharpd@nvidia.com>	2023-02-23 13:29:32 -0500
committer	Donald Sharp <sharpd@nvidia.com>	2023-02-23 13:29:32 -0500
commit	0b999c886e241c52bd1f7ef0066700e4b618ebb3 (patch)
tree	0fbf7f24bb4831fae5834fd40ee57ceae4a6e266 /bgpd/bgp_flowspec.c
parent	4b0d6b4244aff02be34c5b416b25b7259bf66350 (diff)