summaryrefslogtreecommitdiff
path: root/ospf6d/ospf6_gr_helper.c
diff options
context:
space:
mode:
Diffstat (limited to 'ospf6d/ospf6_gr_helper.c')
-rw-r--r--ospf6d/ospf6_gr_helper.c36
1 files changed, 26 insertions, 10 deletions
diff --git a/ospf6d/ospf6_gr_helper.c b/ospf6d/ospf6_gr_helper.c
index ad8998b1ed..84ee35a3ed 100644
--- a/ospf6d/ospf6_gr_helper.c
+++ b/ospf6d/ospf6_gr_helper.c
@@ -157,8 +157,18 @@ static int ospf6_extract_grace_lsa_fields(struct ospf6_lsa *lsa,
length = ntohs(lsah->length) - OSPF6_LSA_HEADER_SIZE;
- for (tlvh = TLV_HDR_TOP(lsah); sum < length;
+ for (tlvh = TLV_HDR_TOP(lsah); sum < length && tlvh;
tlvh = TLV_HDR_NEXT(tlvh)) {
+
+ /* Check TLV len against overall LSA */
+ if (sum + TLV_SIZE(tlvh) > length) {
+ if (IS_DEBUG_OSPF6_GR)
+ zlog_debug(
+ "%s: Malformed packet: Invalid TLV len:%d",
+ __func__, TLV_SIZE(tlvh));
+ return OSPF6_FAILURE;
+ }
+
switch (ntohs(tlvh->type)) {
case GRACE_PERIOD_TYPE:
gracePeriod = (struct grace_tlv_graceperiod *)tlvh;
@@ -202,8 +212,6 @@ static int ospf6_handle_grace_timer_expiry(struct thread *thread)
{
struct ospf6_neighbor *nbr = THREAD_ARG(thread);
- nbr->gr_helper_info.t_grace_timer = NULL;
-
ospf6_gr_helper_exit(nbr, OSPF6_GR_HELPER_GRACE_TIMEOUT);
return OSPF6_SUCCESS;
}
@@ -1180,12 +1188,8 @@ DEFPY(show_ipv6_ospf6_gr_helper,
show_ospf6_gr_helper_details(vty, ospf6, json, uj, detail);
- if (uj) {
- vty_out(vty, "%s\n",
- json_object_to_json_string_ext(
- json, JSON_C_TO_STRING_PRETTY));
- json_object_free(json);
- }
+ if (uj)
+ vty_json(vty, json);
return CMD_SUCCESS;
}
@@ -1237,8 +1241,20 @@ static int ospf6_grace_lsa_show_info(struct vty *vty, struct ospf6_lsa *lsa,
zlog_debug(" TLV info:");
}
- for (tlvh = TLV_HDR_TOP(lsah); sum < length;
+ for (tlvh = TLV_HDR_TOP(lsah); sum < length && tlvh;
tlvh = TLV_HDR_NEXT(tlvh)) {
+
+ /* Check TLV len */
+ if (sum + TLV_SIZE(tlvh) > length) {
+ if (vty)
+ vty_out(vty, "%% Invalid TLV length: %d\n",
+ TLV_SIZE(tlvh));
+ else if (IS_DEBUG_OSPF6_GR)
+ zlog_debug("%% Invalid TLV length: %d",
+ TLV_SIZE(tlvh));
+ return OSPF6_FAILURE;
+ }
+
switch (ntohs(tlvh->type)) {
case GRACE_PERIOD_TYPE:
gracePeriod = (struct grace_tlv_graceperiod *)tlvh;