staticd: reject route config with too many nexthops

Restrict the number of nexthops for a route to the compiled-in limit. Be careful with the zapi route struct's array of nexthops too. Signed-off-by: Mark Stapp <mstapp@nvidia.com>
2022-02-17 09:49:41 -05:00 · 2022-02-17 09:49:41 -05:00 · 1f7ab1a2cc
parent abc246e193
commit 1f7ab1a2cc
2 changed files with 10 additions and 1 deletions
--- a/staticd/static_nb_config.c
+++ b/staticd/static_nb_config.c
@ -115,7 +115,7 @@ static int static_path_list_tag_modify(struct nb_cb_modify_args *args)
 }

 struct nexthop_iter {
-	int count;
+	uint32_t count;
 	bool blackhole;
 };

@ -171,6 +171,11 @@ static bool static_nexthop_create(struct nb_cb_create_args *args)
 				args->errmsg, args->errmsg_len,
 				"Route cannot have blackhole and non-blackhole nexthops simultaneously");
 			return NB_ERR_VALIDATION;
+		} else if (iter.count > zebra_ecmp_count) {
+			snprintf(args->errmsg, args->errmsg_len,
+				"Route cannot have more than %d ECMP nexthops",
+				 zebra_ecmp_count);
+			return NB_ERR_VALIDATION;
 		}
 		break;
 	case NB_EV_PREPARE:
--- a/staticd/static_zebra.c
+++ b/staticd/static_zebra.c
@ -414,6 +414,10 @@ extern void static_zebra_route_add(struct static_path *pn, bool install)
 		api.tableid = pn->table_id;
 	}
 	frr_each(static_nexthop_list, &pn->nexthop_list, nh) {
+		/* Don't overrun the nexthop array */
+		if (nh_num == zebra_ecmp_count)
+			break;
+
 		api_nh = &api.nexthops[nh_num];
 		if (nh->nh_vrf_id == VRF_UNKNOWN)
 			continue;