diff options
| author | Acee Lindem <acee@lindem.com> | 2024-09-18 18:09:19 +0000 |
|---|---|---|
| committer | Acee Lindem <acee@lindem.com> | 2024-09-18 18:09:19 +0000 |
| commit | 0dc969185fdd75fd007c9b29e11be57a078236df (patch) | |
| tree | 7d0251c8ccfe796162437d82d953f3938efcd386 /ospfd | |
| parent | 5ae0b26220e5c9269f21e928558f49bba876c9f3 (diff) | |
ospfd: Fix heap corruption vulnerability when parsing SR-Algorithm TLV
When parsing the SR-Algorithm TLV in the OSPF Router Information Opaque
LSA, assure that not more than the maximum number of supported
algorithms are copied from the TLV.
Signed-off-by: Acee Lindem <acee@lindem.com>
Diffstat (limited to 'ospfd')
| -rw-r--r-- | ospfd/ospf_sr.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/ospfd/ospf_sr.c b/ospfd/ospf_sr.c index 198309c1ef..97dc578679 100644 --- a/ospfd/ospf_sr.c +++ b/ospfd/ospf_sr.c @@ -1459,7 +1459,8 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa) /* Update Algorithm, SRLB and MSD if present */ if (algo != NULL) { int i; - for (i = 0; i < ntohs(algo->header.length); i++) + for (i = 0; + i < ntohs(algo->header.length) && i < ALGORITHM_COUNT; i++) srn->algo[i] = algo->value[0]; for (; i < ALGORITHM_COUNT; i++) srn->algo[i] = SR_ALGORITHM_UNSET; |