From: Theo Buehler <tb@theobuehler.org>
Subject: Re: bgpd: limit flowspec size
To: tech@openbsd.org
Date: Mon, 18 May 2026 17:49:13 +0200

On Mon, May 18, 2026 at 02:47:10PM +0200, Claudio Jeker wrote:
> Add a maximum size for a single flowspec rule. Currently 4000 bytes.
> Enforce this in both in the parsers but also in the RDE.
> In the RDE flowspec_valid() will error out if the lenght is too long
> but also pt_get_flow() and pt_add_flow() will error out.
> The fixed buffer in pt_get_flow() is now sized appropriately instead
> of using a arbitrary size.
> 
> A size of 4000 is very luxurious and close to the max for regular BGP
> sessions.

ok modulo one typo:

> Index: bgpd/parse.y
[...]
> @@ -5695,9 +5695,16 @@ flow_to_flowspec(struct flowspec_context
>  		if (ctx->components[i] != NULL)
>  			len += ctx->complen[i] + 1;
>  
> +	if (len > FLOWSPEC_SIZE_MAX) {
> +		yyerror("flowspec to long %d > %d", len, FLOWSPEC_SIZE_MAX);

too