OSPF: Fix OOB read in Router-LSA validation

The missing check in lsa_validate_rt2() may lead to OOB read in OSPFv2
Router-LSA validation for malformed Router-LSAs. The OSPFv3 case is in
fact safe, but the patch improves these checks in uniform way.

Reported-By: TristanInSec@gmail.com

diff --git a/proto/ospf/lsalib.c b/proto/ospf/lsalib.c
index 7aae96ba5a5487618249678592a512cb39444226..240f7424eca5ef9286beadcee18d31b942e4b51a 100644 (file)
--- a/proto/ospf/lsalib.c
+++ b/proto/ospf/lsalib.c
@@ -483,6 +483,9 @@ lsa_validate_rt2(struct ospf_lsa_header *lsa, struct ospf_lsa_rt *body)
 
   while (buf < bufend)
   {
+    if (buf + sizeof(struct ospf_lsa_rt2_link) > bufend)
+      return 0;
+
     struct ospf_lsa_rt2_link *l = buf;
     buf += sizeof(struct ospf_lsa_rt2_link) + l->no_tos * sizeof(struct ospf_lsa_rt2_tos);
     i++;
@@ -516,12 +519,12 @@ lsa_validate_rt3(struct ospf_lsa_header *lsa, struct ospf_lsa_rt *body)
 
   while (buf < bufend)
   {
+    if (buf + sizeof(struct ospf_lsa_rt3_link) > bufend)
+      return 0;
+
     struct ospf_lsa_rt3_link *l = buf;
     buf += sizeof(struct ospf_lsa_rt3_link);
 
-    if (buf > bufend)
-      return 0;
-
     if (!((l->type == LSART_PTP) ||
          (l->type == LSART_NET) ||
          (l->type == LSART_VLNK)))