From: Acee Lindem <acee@lindem.com>
Date: Wed, 18 Sep 2024 18:09:19 +0000 (+0000)
Subject: ospfd: Fix heap corruption vulnerability when parsing SR-Algorithm TLV
X-Git-Tag: docker/8.4.7~6^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=13cc2ace441ae39d5d0225cafc4f33f08ae14928;p=matthieu%2Ffrr.git

ospfd: Fix heap corruption vulnerability when parsing SR-Algorithm TLV

When parsing the SR-Algorithm TLV in the OSPF Router Information Opaque
LSA, assure that not more than the maximum number of supported
algorithms are copied from the TLV.

Signed-off-by: Acee Lindem <acee@lindem.com>
(cherry picked from commit 0dc969185fdd75fd007c9b29e11be57a078236df)
---

diff --git a/ospfd/ospf_sr.c b/ospfd/ospf_sr.c
index 3a71e55710..419702b794 100644
--- a/ospfd/ospf_sr.c
+++ b/ospfd/ospf_sr.c
@@ -1474,7 +1474,8 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa)
 	/* Update Algorithm, SRLB and MSD if present */
 	if (algo != NULL) {
 		int i;
-		for (i = 0; i < ntohs(algo->header.length); i++)
+		for (i = 0;
+		     i < ntohs(algo->header.length) && i < ALGORITHM_COUNT; i++)
 			srn->algo[i] = algo->value[0];
 		for (; i < ALGORITHM_COUNT; i++)
 			srn->algo[i] = SR_ALGORITHM_UNSET;