From: Ondrej Zajicek <santiago@crfreenet.org>
Date: Sat, 6 Jun 2026 16:04:03 +0000 (+0200)
Subject: OSPF: Fix OOB read in Router-LSA validation
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=refs%2Fheads%2Fmaster;p=thirdparty%2Fbird.git

OSPF: Fix OOB read in Router-LSA validation

The missing check in lsa_validate_rt2() may lead to OOB read in OSPFv2
Router-LSA validation for malformed Router-LSAs. The OSPFv3 case is in
fact safe, but the patch improves these checks in uniform way.

Reported-By: TristanInSec@gmail.com
---

diff --git a/proto/ospf/lsalib.c b/proto/ospf/lsalib.c
index 7aae96ba5..240f7424e 100644
--- a/proto/ospf/lsalib.c
+++ b/proto/ospf/lsalib.c
@@ -483,6 +483,9 @@ lsa_validate_rt2(struct ospf_lsa_header *lsa, struct ospf_lsa_rt *body)
 
   while (buf < bufend)
   {
+    if (buf + sizeof(struct ospf_lsa_rt2_link) > bufend)
+      return 0;
+
     struct ospf_lsa_rt2_link *l = buf;
     buf += sizeof(struct ospf_lsa_rt2_link) + l->no_tos * sizeof(struct ospf_lsa_rt2_tos);
     i++;
@@ -516,12 +519,12 @@ lsa_validate_rt3(struct ospf_lsa_header *lsa, struct ospf_lsa_rt *body)
 
   while (buf < bufend)
   {
+    if (buf + sizeof(struct ospf_lsa_rt3_link) > bufend)
+      return 0;
+
     struct ospf_lsa_rt3_link *l = buf;
     buf += sizeof(struct ospf_lsa_rt3_link);
 
-    if (buf > bufend)
-      return 0;
-
     if (!((l->type == LSART_PTP) ||
 	  (l->type == LSART_NET) ||
 	  (l->type == LSART_VLNK)))