diff options
| author | Iggy Frankovic <iggy07@gmail.com> | 2024-05-30 13:59:54 +0200 |
|---|---|---|
| committer | Donald Sharp <sharpd@nvidia.com> | 2024-05-30 14:02:25 +0200 |
| commit | 826f2510e67711045e52cf4b5e3ddef514ed556e (patch) | |
| tree | 46196782a8a3ef75ddad75cb5a874b0c5da14954 /ospf6d | |
| parent | Merge pull request #16109 from donaldsharp/seg6_topotest_fix (diff) | |
| download | frr-826f2510e67711045e52cf4b5e3ddef514ed556e.tar.xz frr-826f2510e67711045e52cf4b5e3ddef514ed556e.zip | |
ospf6d: Prevent heap-buffer-overflow with unknown type
When parsing a osf6 grace lsa field and we receive an
unknown tlv type, ospf6d was not incrementing the pointer
to get beyond the tlv. Leaving a situation where ospf6d
would parse the packet incorrectly.
Signed-off-by: Iggy Frankovic <iggy07@gmail.com>
Diffstat (limited to 'ospf6d')
| -rw-r--r-- | ospf6d/ospf6_gr_helper.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/ospf6d/ospf6_gr_helper.c b/ospf6d/ospf6_gr_helper.c index 229e0a4db..f0e5d3a15 100644 --- a/ospf6d/ospf6_gr_helper.c +++ b/ospf6d/ospf6_gr_helper.c @@ -176,6 +176,7 @@ static int ospf6_extract_grace_lsa_fields(struct ospf6_lsa *lsa, return OSPF6_FAILURE; break; default: + sum += TLV_SIZE(tlvh); if (IS_DEBUG_OSPF6_GR) zlog_debug("%s, Ignoring unknown TLV type:%d", __func__, ntohs(tlvh->type)); |