From 7023632d3b4fb578c3d511b42d69edec6ab6c18d Mon Sep 17 00:00:00 2001
From: Ondrej Zajicek <santiago@crfreenet.org>
Date: Sat, 6 Jun 2026 18:04:03 +0200
Subject: [PATCH] OSPF: Fix OOB read in Router-LSA validation

The missing check in lsa_validate_rt2() may lead to OOB read in OSPFv2
Router-LSA validation for malformed Router-LSAs. The OSPFv3 case is in
fact safe, but the patch improves these checks in uniform way.

Reported-By: TristanInSec@gmail.com
---
 proto/ospf/lsalib.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/proto/ospf/lsalib.c b/proto/ospf/lsalib.c
index 7aae96ba5..240f7424e 100644
--- a/proto/ospf/lsalib.c
+++ b/proto/ospf/lsalib.c
@@ -483,6 +483,9 @@ lsa_validate_rt2(struct ospf_lsa_header *lsa, struct ospf_lsa_rt *body)
 
   while (buf < bufend)
   {
+    if (buf + sizeof(struct ospf_lsa_rt2_link) > bufend)
+      return 0;
+
     struct ospf_lsa_rt2_link *l = buf;
     buf += sizeof(struct ospf_lsa_rt2_link) + l->no_tos * sizeof(struct ospf_lsa_rt2_tos);
     i++;
@@ -516,12 +519,12 @@ lsa_validate_rt3(struct ospf_lsa_header *lsa, struct ospf_lsa_rt *body)
 
   while (buf < bufend)
   {
+    if (buf + sizeof(struct ospf_lsa_rt3_link) > bufend)
+      return 0;
+
     struct ospf_lsa_rt3_link *l = buf;
     buf += sizeof(struct ospf_lsa_rt3_link);
 
-    if (buf > bufend)
-      return 0;
-
     if (!((l->type == LSART_PTP) ||
 	  (l->type == LSART_NET) ||
 	  (l->type == LSART_VLNK)))
-- 
2.47.3