OSPF: Fix handling of LLS data length field

The LLS data length is in 32-bit words, not bytes. Also, minimal valid
length should be checked. BIRD does not process LLS data field, but it
must be skipped properly when OSPFv3 authentication is verified.

Also, the old code could lead to crash due to unaligned access when
processing OSPFv3 packets with LLS headers.

diff --git a/proto/ospf/packet.c b/proto/ospf/packet.c
index fbe802ecbc78706eeb6d4c39b4ce3deb5cc86d99..1c9aafa4fc5ba61b42f2e4e8f81e0213aefdc260 100644 (file)
--- a/proto/ospf/packet.c
+++ b/proto/ospf/packet.c
@@ -312,7 +312,16 @@ ospf_pkt_checkauth3(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf
       DROP("packet length mismatch", len);
 
     struct ospf_lls *lls = (void *) ((byte *) pkt + plen);
-    plen += ntohs(lls->length);
+
+    /* RFC 5613 2.2 - LLS data length is in 32-bit words! */
+    uint lls_length = ntohs(lls->length) * 4;
+    if (lls_length < sizeof(struct ospf_lls))
+      DROP("LLS data too short", lls_length);
+
+    if ((plen + lls_length) > len)
+      DROP("packet length mismatch", len);
+
+    plen += lls_length;
   }
 
   if ((plen + sizeof(struct ospf_auth3)) > len)