ospfd: Fix heap corruption vulnerability when parsing SR-Algorithm TLV

When parsing the SR-Algorithm TLV in the OSPF Router Information Opaque
LSA, assure that not more than the maximum number of supported
algorithms are copied from the TLV.

Signed-off-by: Acee Lindem <acee@lindem.com>
(cherry picked from commit 0dc969185fdd75fd007c9b29e11be57a078236df)

diff --git a/ospfd/ospf_sr.c b/ospfd/ospf_sr.c
index 3a71e55710823d87079ec374b1066617976a8572..419702b794589cf526a27cdf1535878fa28ba40f 100644 (file)
--- a/ospfd/ospf_sr.c
+++ b/ospfd/ospf_sr.c
@@ -1474,7 +1474,8 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa)
        /* Update Algorithm, SRLB and MSD if present */
        if (algo != NULL) {
                int i;
-               for (i = 0; i < ntohs(algo->header.length); i++)
+               for (i = 0;
+                    i < ntohs(algo->header.length) && i < ALGORITHM_COUNT; i++)
                        srn->algo[i] = algo->value[0];
                for (; i < ALGORITHM_COUNT; i++)
                        srn->algo[i] = SR_ALGORITHM_UNSET;