Add limits to provider ASN set in both repository and rtr.

NLnetLabs · Jan 10, 2025 · 0b6d046 · 0b6d046
1 parent 325687d
commit 0b6d046
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/src/repository/aspa.rs b/src/repository/aspa.rs
@@ -202,13 +202,19 @@ impl AsProviderAttestation {
 /// This type contains the provider AS set in encoded form. It guarantees that
 /// the AS in this set are ordered, free of duplicates and there is at least
 /// one AS.
+///
+/// It does not, at this point, enforce the maximum allowed number of 16380
+/// ASNs. This will be added with the next breaking change.
 #[derive(Clone, Debug)]
 pub struct ProviderAsSet {
     captured: Captured,
     len: usize,
 }
 
 impl ProviderAsSet {
+    /// The maximum number of ASNs allowed in the set.
+    const MAX_LEN: usize = 16380;
+
     #[allow(clippy::len_without_is_empty)] // never empty
     pub fn len(&self) -> usize {
         self.len
@@ -226,6 +232,9 @@ impl ProviderAsSet {
         ProviderAsIter(self.captured.as_slice().into_source())
     }
 
+    /// Takes the provider ASN sequence from an encoded source.
+    ///
+    /// Enforces a maxium size of 16380 ASNs.
     fn take_from<S: decode::Source>(
         cons: &mut decode::Constructed<S>,
         customer_as: Asn,
@@ -237,6 +246,11 @@ impl ProviderAsSet {
                 while let Some(asn) = Asn::take_opt_from(
                     cons
                 )? {
+                    if len > Self::MAX_LEN {
+                        return Err(cons.content_err(
+                            "too many provider ASNs"
+                        ));
+                    }
                     if asn == customer_as {
                         return Err(cons.content_err(
                             "customer AS in provider AS set"

diff --git a/src/rtr/pdu.rs b/src/rtr/pdu.rs
@@ -799,7 +799,8 @@ impl Aspa {
     /// # Panics
     ///
     /// This function panics if the length of the resulting PDU doesn’t fit
-    /// in a `u32`.
+    /// in a `u32`. Because `ProviderAsns` is now limited in size, this can’t
+    /// happen.
     pub fn new(
         version: u8,
         flags: u8,
@@ -948,6 +949,9 @@ impl AsMut<[u8]> for AspaFixed {
 pub struct ProviderAsns(Bytes);
 
 impl ProviderAsns {
+    /// The maximum number of provider ASNs.
+    const MAX_COUNT: usize = 16380;
+
     /// Returns an empty value.
     pub fn empty() -> Self {
         Self(Bytes::new())
@@ -963,7 +967,7 @@ impl ProviderAsns {
         let iter = iter.into_iter();
         let mut providers = Vec::with_capacity(iter.size_hint().0);
         iter.enumerate().try_for_each(|(idx, item)| {
-            if idx >= usize::from(u16::MAX) {
+            if idx > Self::MAX_COUNT {
                 return Err(ProviderAsnsError(()))
             }
             providers.extend_from_slice(&item.into_u32().to_be_bytes());