bgpd: add some flowspec sanity returns

[mirror_frr.git] / bgpd / bgp_flowspec_util.c

diff --git a/bgpd/bgp_flowspec_util.c b/bgpd/bgp_flowspec_util.c
index 326d7f2efb2b18b5f71df090e7fa36cc46cfad83..66426ab32f02cb8109ac29ab32028994a9cb3f88 100644 (file)
--- a/bgpd/bgp_flowspec_util.c
+++ b/bgpd/bgp_flowspec_util.c
@@ -185,16 +185,23 @@ int bgp_flowspec_ip_address(enum bgp_flowspec_util_nlri_t type,
                offset++;
        }
        /* Prefix length check. */
-       if (prefix_local.prefixlen > prefix_blen(&prefix_local) * 8)
+       if (prefix_local.prefixlen > prefix_blen(&prefix_local) * 8) {
                *error = -1;
+               return offset;
+       }
        /* When packet overflow occur return immediately. */
-       if (psize + offset > max_len)
+       if (psize + offset > max_len) {
                *error = -1;
+               return offset;
+       }
        /* Defensive coding, double-check
         * the psize fits in a struct prefix
         */
-       if (psize > (ssize_t)sizeof(prefix_local.u))
+       if (psize > (ssize_t)sizeof(prefix_local.u)) {
                *error = -1;
+               return offset;
+       }
+
        memcpy(&prefix_local.u.prefix, &nlri_ptr[offset], psize);
        offset += psize;
        switch (type) {
@@ -352,8 +359,10 @@ int bgp_flowspec_bitmask_decode(enum bgp_flowspec_util_nlri_t type,
 
        *error = 0;
        do {
-               if (loop > BGP_PBR_MATCH_VAL_MAX)
+               if (loop > BGP_PBR_MATCH_VAL_MAX) {
                        *error = -2;
+                       return offset;
+               }
                hex2bin(&nlri_ptr[offset], op);
                /* if first element, AND bit can not be set */
                if (op[1] == 1 && loop == 0)