From: Iggy Frankovic <iggy07@gmail.com>
Date: Thu, 30 May 2024 11:59:54 +0000 (-0400)
Subject: ospf6d: Prevent heap-buffer-overflow with unknown type
X-Git-Tag: docker/9.1.1~3^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=359892fada32f43e5c20207000dd9330334b6a9c;p=matthieu%2Ffrr.git

ospf6d: Prevent heap-buffer-overflow with unknown type

When parsing a osf6 grace lsa field and we receive an
unknown tlv type, ospf6d was not incrementing the pointer
to get beyond the tlv.  Leaving a situation where ospf6d
would parse the packet incorrectly.

Signed-off-by: Iggy Frankovic <iggy07@gmail.com>
(cherry picked from commit 826f2510e67711045e52cf4b5e3ddef514ed556e)
---

diff --git a/ospf6d/ospf6_gr_helper.c b/ospf6d/ospf6_gr_helper.c
index be1042f260..42ea04833c 100644
--- a/ospf6d/ospf6_gr_helper.c
+++ b/ospf6d/ospf6_gr_helper.c
@@ -176,6 +176,7 @@ static int ospf6_extract_grace_lsa_fields(struct ospf6_lsa *lsa,
 				return OSPF6_FAILURE;
 			break;
 		default:
+			sum += TLV_SIZE(tlvh);
 			if (IS_DEBUG_OSPF6_GR)
 				zlog_debug("%s, Ignoring unknown TLV type:%d",
 					   __func__, ntohs(tlvh->type));