bgpd: Validate large-community-list against UINT_MAX

Signed-off-by: Donatas Abraitis <donatas.abraitis@gmail.com>
2025-08-15 20:32:18 +00:00 · 2019-07-02 15:35:26 +03:00 · 2019-07-02 15:35:26 +03:00 · 5bd66e2dcc
commit 5bd66e2dcc
parent a123bd4ad6
1 changed files with 31 additions and 0 deletions
--- a/bgpd/bgp_clist.c
+++ b/bgpd/bgp_clist.c
@ -27,6 +27,7 @@
 #include "filter.h"
 #include "stream.h"
 #include "jhash.h"
+#include "frrstr.h"

 #include "bgpd/bgpd.h"
 #include "bgpd/bgp_community.h"
@ -1026,6 +1027,33 @@ struct lcommunity *lcommunity_list_match_delete(struct lcommunity *lcom,
 	return lcom;
 }

+/* Helper to check if every octet do not exceed UINT_MAX */
+static int lcommunity_list_valid(const char *community)
+{
+	int octets = 0;
+	char **splits;
+	int num;
+
+	frrstr_split(community, ":", &splits, &num);
+
+	for (int i = 0; i < num; i++) {
+		if (strtoul(splits[i], NULL, 10) > UINT_MAX)
+			return 0;
+
+		if (strlen(splits[i]) == 0)
+			return 0;
+
+		octets++;
+		XFREE(MTYPE_TMP, splits[i]);
+	}
+	XFREE(MTYPE_TMP, splits);
+
+	if (octets < 3)
+		return 0;
+
+	return 1;
+}
+
 /* Set lcommunity-list.  */
 int lcommunity_list_set(struct community_list_handler *ch, const char *name,
 			const char *str, int direct, int style)
@ -1054,6 +1082,9 @@ int lcommunity_list_set(struct community_list_handler *ch, const char *name,
 	}

 	if (str) {
+		if (!lcommunity_list_valid(str))
+			return COMMUNITY_LIST_ERR_MALFORMED_VAL;
+
 		if (style == LARGE_COMMUNITY_LIST_STANDARD)
 			lcom = lcommunity_str2com(str);
 		else