ospfd: Fix heap corruption vulnerability when parsing SR-Algorithm TLV

When parsing the SR-Algorithm TLV in the OSPF Router Information Opaque LSA, assure that not more than the maximum number of supported algorithms are copied from the TLV. Signed-off-by: Acee Lindem <[email protected]> (cherry picked from commit 0dc9691)
opensourcerouting · Sep 18, 2024 · 84e5566 · 84e5566
1 parent e1efbc3
commit 84e5566
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/ospfd/ospf_sr.c b/ospfd/ospf_sr.c
@@ -1474,7 +1474,8 @@ void ospf_sr_ri_lsa_update(struct ospf_lsa *lsa)
 	/* Update Algorithm, SRLB and MSD if present */
 	if (algo != NULL) {
 		int i;
-		for (i = 0; i < ntohs(algo->header.length); i++)
+		for (i = 0;
+		     i < ntohs(algo->header.length) && i < ALGORITHM_COUNT; i++)
 			srn->algo[i] = algo->value[0];
 		for (; i < ALGORITHM_COUNT; i++)
 			srn->algo[i] = SR_ALGORITHM_UNSET;