ospfd: Fix heap corruption vulnerability when parsing SR-Algorithm TLV

When parsing the SR-Algorithm TLV in the OSPF Router Information Opaque LSA, assure that not more than the maximum number of supported algorithms are copied from the TLV. Signed-off-by: Acee Lindem <acee@lindem.com> (cherry picked from commit 0dc969185fdd75fd007c9b29e11be57a078236df)
author: Acee Lindem <acee@lindem.com> 2024-09-18 18:09:19 +0000
committer: Mergify <37929162+mergify[bot]@users.noreply.github.com> 2024-09-18 23:56:53 +0000
commit: 122f4ac4b938a81c5e8bcebdd484e1cce87e6f21 (patch)
tree: 5aa329084d3388c3dc5550c02b47b7f5d909e764 /ospfd/ospf_sr.c
parent: 3d5b074bb61893a81369325c0ad0acbcab53edae (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/ospfd/ospf_sr.c b/ospfd/ospf_sr.c
index e26fe6f53a..db7e4180f5 100644
--- a/ospfd/ospf_sr.c
+++ b/ospfd/ospf_sr.c
@@ -1459,7 +1459,8 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa)
 	/* Update Algorithm, SRLB and MSD if present */
 	if (algo != NULL) {
 		int i;
-		for (i = 0; i < ntohs(algo->header.length); i++)
+		for (i = 0;
+		     i < ntohs(algo->header.length) && i < ALGORITHM_COUNT; i++)
 			srn->algo[i] = algo->value[0];
 		for (; i < ALGORITHM_COUNT; i++)
 			srn->algo[i] = SR_ALGORITHM_UNSET;
author	Acee Lindem <acee@lindem.com>	2024-09-18 18:09:19 +0000
committer	Mergify <37929162+mergify[bot]@users.noreply.github.com>	2024-09-18 23:56:53 +0000
commit	122f4ac4b938a81c5e8bcebdd484e1cce87e6f21 (patch)
tree	5aa329084d3388c3dc5550c02b47b7f5d909e764 /ospfd/ospf_sr.c
parent	3d5b074bb61893a81369325c0ad0acbcab53edae (diff)