diff options
| author | Olivier Dugeon <olivier.dugeon@orange.com> | 2024-04-05 12:57:11 +0200 |
|---|---|---|
| committer | Mergify <37929162+mergify[bot]@users.noreply.github.com> | 2024-05-24 19:32:18 +0000 |
| commit | fcb339c4ea3134b977cebc910c45ad5bf0992feb (patch) | |
| tree | 98fd6581cb8a7d6187e3ee66139aeed34decb4c9 /ospfd/ospf_ldp_sync.c | |
| parent | fb1020ff7d032948bd121bd1603bed41afb73e29 (diff) | |
ospfd: Correct Opaque LSA Extended parser
Iggy Frankovic discovered another ospfd crash when performing fuzzing of OSPF
LSA packets. The crash occurs in ospf_te_parse_ext_link() function when
attemping to read Segment Routing Adjacency SID subTLVs. The original code
doesn't check if the size of the Extended Link TLVs and subTLVs have the correct
length. In presence of erronous LSA, this will cause a buffer overflow and ospfd
crashes.
This patch introduces new verification of the subTLVs size for Extended Link
TLVs and subTLVs. Similar check has been also introduced for the Extended
Prefix TLV.
Co-authored-by: Iggy Frankovic <iggyfran@amazon.com>
Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
(cherry picked from commit 5557a289acdaeec8cc63ffc97b5c2abf6dee7b3a)
Diffstat (limited to 'ospfd/ospf_ldp_sync.c')
0 files changed, 0 insertions, 0 deletions