From: Ondrej Zajicek <santiago@crfreenet.org>
Date: Sun, 7 Jun 2026 20:00:22 +0000 (+0200)
Subject: OSPF: Fix handling of LLS data length field
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=10b48dec633ff37d92df29e365da5b50cf51a92c;p=thirdparty%2Fbird.git

OSPF: Fix handling of LLS data length field

The LLS data length is in 32-bit words, not bytes. Also, minimal valid
length should be checked. BIRD does not process LLS data field, but it
must be skipped properly when OSPFv3 authentication is verified.

Also, the old code could lead to crash due to unaligned access when
processing OSPFv3 packets with LLS headers.
---

diff --git a/proto/ospf/packet.c b/proto/ospf/packet.c
index fbe802ecb..1c9aafa4f 100644
--- a/proto/ospf/packet.c
+++ b/proto/ospf/packet.c
@@ -312,7 +312,16 @@ ospf_pkt_checkauth3(struct ospf_neighbor *n, struct ospf_iface *ifa, struct ospf
       DROP("packet length mismatch", len);
 
     struct ospf_lls *lls = (void *) ((byte *) pkt + plen);
-    plen += ntohs(lls->length);
+
+    /* RFC 5613 2.2 - LLS data length is in 32-bit words! */
+    uint lls_length = ntohs(lls->length) * 4;
+    if (lls_length < sizeof(struct ospf_lls))
+      DROP("LLS data too short", lls_length);
+
+    if ((plen + lls_length) > len)
+      DROP("packet length mismatch", len);
+
+    plen += lls_length;
   }
 
   if ((plen + sizeof(struct ospf_auth3)) > len)