diff options
| author | Acee Lindem <acee@lindem.com> | 2024-09-18 18:09:19 +0000 |
|---|---|---|
| committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-09-18 23:58:05 +0000 |
| commit | 84e556607d0524f55dba097645327012caa21143 (patch) | |
| tree | b49ed988bc49b09af0eb761289d06d900ecd7eda | |
| parent | e1efbc3057bd0109b7a495c584375df3c7e855f1 (diff) | |
ospfd: Fix heap corruption vulnerability when parsing SR-Algorithm TLV
When parsing the SR-Algorithm TLV in the OSPF Router Information Opaque
LSA, assure that not more than the maximum number of supported
algorithms are copied from the TLV.
Signed-off-by: Acee Lindem <acee@lindem.com>
(cherry picked from commit 0dc969185fdd75fd007c9b29e11be57a078236df)
| -rw-r--r-- | ospfd/ospf_sr.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ospfd/ospf_sr.c b/ospfd/ospf_sr.c index 3a71e55710..419702b794 100644 --- a/ospfd/ospf_sr.c +++ b/ospfd/ospf_sr.c @@ -1474,7 +1474,8 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa) /* Update Algorithm, SRLB and MSD if present */ if (algo != NULL) { int i; - for (i = 0; i < ntohs(algo->header.length); i++) + for (i = 0; + i < ntohs(algo->header.length) && i < ALGORITHM_COUNT; i++) srn->algo[i] = algo->value[0]; for (; i < ALGORITHM_COUNT; i++) srn->algo[i] = SR_ALGORITHM_UNSET; |