From ebd8d3ea66470f3ae45a9ab52ed4780aa50d6f45 Mon Sep 17 00:00:00 2001 From: Acee Lindem Date: Wed, 18 Sep 2024 18:09:19 +0000 Subject: [PATCH] ospfd: Fix heap corruption vulnerability when parsing SR-Algorithm TLV When parsing the SR-Algorithm TLV in the OSPF Router Information Opaque LSA, assure that not more than the maximum number of supported algorithms are copied from the TLV. Signed-off-by: Acee Lindem (cherry picked from commit 0dc969185fdd75fd007c9b29e11be57a078236df) --- ospfd/ospf_sr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ospfd/ospf_sr.c b/ospfd/ospf_sr.c index e26fe6f53a12..db7e4180f5d4 100644 --- a/ospfd/ospf_sr.c +++ b/ospfd/ospf_sr.c @@ -1459,7 +1459,8 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa) /* Update Algorithm, SRLB and MSD if present */ if (algo != NULL) { int i; - for (i = 0; i < ntohs(algo->header.length); i++) + for (i = 0; + i < ntohs(algo->header.length) && i < ALGORITHM_COUNT; i++) srn->algo[i] = algo->value[0]; for (; i < ALGORITHM_COUNT; i++) srn->algo[i] = SR_ALGORITHM_UNSET;