ospf6d: Prevent heap-buffer-overflow with unknown type

When parsing a osf6 grace lsa field and we receive an
unknown tlv type, ospf6d was not incrementing the pointer
to get beyond the tlv.  Leaving a situation where ospf6d
would parse the packet incorrectly.

Signed-off-by: Iggy Frankovic <iggy07@gmail.com>
(cherry picked from commit 826f2510e67711045e52cf4b5e3ddef514ed556e)

diff --git a/ospf6d/ospf6_gr_helper.c b/ospf6d/ospf6_gr_helper.c
index be1042f260317f554e8bad0caa5b48adab37ac5b..42ea04833c521722b2403abc9eca721e9f1e8038 100644 (file)
--- a/ospf6d/ospf6_gr_helper.c
+++ b/ospf6d/ospf6_gr_helper.c
@@ -176,6 +176,7 @@ static int ospf6_extract_grace_lsa_fields(struct ospf6_lsa *lsa,
                                return OSPF6_FAILURE;
                        break;
                default:
+                       sum += TLV_SIZE(tlvh);
                        if (IS_DEBUG_OSPF6_GR)
                                zlog_debug("%s, Ignoring unknown TLV type:%d",
                                           __func__, ntohs(tlvh->type));