From e3db39db57546ebf52ef6fbe59bd77d1d951616a Mon Sep 17 00:00:00 2001 From: Olivier Dugeon Date: Mon, 15 Nov 2021 18:19:35 +0100 Subject: [PATCH] ospfd: Fix wrong parsing of TE subTLV Function ospf_te_parse_te() and ospf_te_delete_te() browse TE TLV but also subTLV. The loop that parse the subTLV check that cummulative read data doesn't exceed the total size of the TLV. However, the sum variable that counts the number of read data was wrongly intialize to 0 instead to 4 (i.e. the initial TLV Header size that is located at the TOP of subTLV). This patch adjust accordingly the initial value of the counter. Signed-off-by: Olivier Dugeon --- ospfd/ospf_te.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c index 03fa572859..c5d1079e91 100644 --- a/ospfd/ospf_te.c +++ b/ospfd/ospf_te.c @@ -2171,7 +2171,7 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa) if ((len == 0) || (ntohs(tlvh->type) != TE_TLV_LINK)) return 0; - sum = 0; + sum = sizeof(struct tlv_header); /* Browse sub-TLV and fulfill Link State Attributes */ for (tlvh = TLV_DATA(tlvh); sum < len; tlvh = TLV_HDR_NEXT(tlvh)) { uint32_t val32, tab32[2]; @@ -2377,7 +2377,7 @@ static int ospf_te_delete_te(struct ls_ted *ted, struct ospf_lsa *lsa) if (ntohs(tlvh->type) == TE_TLV_ROUTER_ADDR) tlvh = TLV_HDR_NEXT(tlvh); len = TLV_BODY_SIZE(tlvh); - sum = 0; + sum = sizeof(struct tlv_header); /* Browse sub-TLV to find Link ID */ for (tlvh = TLV_DATA(tlvh); sum < len; tlvh = TLV_HDR_NEXT(tlvh)) { -- 2.39.5