]> git.puffer.fish Git - mirror/frr.git/commit
projects / mirror / frr.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 298704f) | patch
ospfd: Correct Opaque LSA Extended parser
authorOlivier Dugeon <olivier.dugeon@orange.com>
Fri, 5 Apr 2024 10:57:11 +0000 (12:57 +0200)
committerMergify <37929162+mergify[bot]@users.noreply.github.com>
Fri, 24 May 2024 19:33:35 +0000 (19:33 +0000)
commit4e70b09f24b72fbb27ff5eda63393bfd2a72ef37
tree5121de8c16696d4547cf6a4d5c8639bb1f570279tree | snapshot
parent298704f1e73221172432e2a4afd79086ffcd4ccacommit | diff
ospfd: Correct Opaque LSA Extended parser

Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
LSA packets. The crash occurs in ospf_te_parse_ext_link() function when
attemping to read Segment Routing Adjacency SID subTLVs. The original code
doesn't check if the size of the Extended Link TLVs and subTLVs have the correct
length. In presence of erronous LSA, this will cause a buffer overflow and ospfd
crashes.

This patch introduces new verification of the subTLVs size for Extended Link
TLVs and subTLVs. Similar check has been also introduced for the Extended
Prefix TLV.

Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
(cherry picked from commit 5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a)
ospfd/ospf_te.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.