Merge pull request #16865 from FRRouting/mergify/bp/stable/9.0/pr-16860

ospfd: Fix heap corruption vulnerability when parsing SR-Algorithm TLV (backport #16860)
FRRouting · Sep 19, 2024 · 4eddddb · 4eddddb
2 parents c9d5af7 + ebd8d3e
commit 4eddddb
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/ospfd/ospf_sr.c b/ospfd/ospf_sr.c
@@ -1459,7 +1459,8 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa)
 	/* Update Algorithm, SRLB and MSD if present */
 	if (algo != NULL) {
 		int i;
-		for (i = 0; i < ntohs(algo->header.length); i++)
+		for (i = 0;
+		     i < ntohs(algo->header.length) && i < ALGORITHM_COUNT; i++)
 			srn->algo[i] = algo->value[0];
 		for (; i < ALGORITHM_COUNT; i++)
 			srn->algo[i] = SR_ALGORITHM_UNSET;