Skip to content

Commit

Permalink
pkg/packet/bgp: fix flowspec parser to check the input length
Browse files Browse the repository at this point in the history 
case EC_SUBTYPE_FLOWSPEC_REDIRECT_IP6:
   ipv6 := net.IP(data[2:18]).String()
   localAdmin := binary.BigEndian.Uint16(data[18:20])
   return NewRedirectIPv6AddressSpecificExtended(ipv6, localAdmin), nil

Note that the `data` length is only checked for being at least 8
bytes, so any message with the given subtype but less than 20 bytes
will crash the application.
  • Loading branch information
@ivg @fujita
ivg authored and fujita committed Feb 7, 2025
1 parent 5693c58 commit ca7383f
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions pkg/packet/bgp/bgp.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12708,6 +12708,10 @@ func parseGenericTransitiveExperimentalExtended(data []byte) (ExtendedCommunityI
dscp := data[7]
return NewTrafficRemarkExtended(dscp), nil
case EC_SUBTYPE_FLOWSPEC_REDIRECT_IP6:
if len(data) < 20 {
return nil, NewMessageError(BGP_ERROR_UPDATE_MESSAGE_ERROR, BGP_ERROR_SUB_MALFORMED_ATTRIBUTE_LIST, nil, "not all extended community bytes for IPv6 FlowSpec are available")
}

ipv6 := net.IP(data[2:18]).String()
localAdmin := binary.BigEndian.Uint16(data[18:20])
return NewRedirectIPv6AddressSpecificExtended(ipv6, localAdmin), nil
Expand Down

0 comments on commit ca7383f

Please sign in to comment.