Skip to content

ospf6d: reject undersized LSAs in ospf6_lsupdate_recv #22301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
uwezkhan wants to merge 1 commit into
base: master
Choose a base branch
from
+2 −0
Open

ospf6d: reject undersized LSAs in ospf6_lsupdate_recv #22301

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ospf6d/ospf6_message.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1648,6 +1648,8 @@ static void ospf6_lsupdate_recv(struct in6_addr *src, struct in6_addr *dst,
/* Process LSAs */
for (p = (char *)((caddr_t)lsupdate + sizeof(struct ospf6_lsupdate));
p < OSPF6_MESSAGE_END(oh) &&
ospf6_lsa_size((struct ospf6_lsa_header *)p) >=
sizeof(struct ospf6_lsa_header) &&
p + ospf6_lsa_size((struct ospf6_lsa_header *)p) <=
OSPF6_MESSAGE_END(oh);
p += ospf6_lsa_size((struct ospf6_lsa_header *)p)) {
Comment on lines 1650 to 1655

@greptile-apps greptile-apps Bot Jun 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Missing full-header guard before ospf6_lsa_size() call

ospf6_lsa_size() reads header->length at byte offset 18 inside struct ospf6_lsa_header. The current first condition p < OSPF6_MESSAGE_END(oh) allows ospf6_lsa_size() to be called when as little as 1 byte remains, which means the 2-byte length field read at offset 18 goes past the end of the message buffer — the same class of out-of-bounds read the PR is trying to prevent.

Every other receive loop in this file guards with p + sizeof(struct ospf6_lsa_header) <= OSPF6_MESSAGE_END(oh) first (see ospf6_lsack_recv at line 1694, the two lsreq loops at lines 753 and 981). The first condition here should be changed to match that pattern:

p + sizeof(struct ospf6_lsa_header) <= OSPF6_MESSAGE_END(oh) before invoking ospf6_lsa_size(), followed by the new size check, followed by the existing end-of-buffer check.

This ensures the header can be safely read before inspecting its length field.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: ospf6d/ospf6_message.c
Line: 1650-1655

Comment:
**Missing full-header guard before `ospf6_lsa_size()` call**

`ospf6_lsa_size()` reads `header->length` at byte offset 18 inside `struct ospf6_lsa_header`. The current first condition `p < OSPF6_MESSAGE_END(oh)` allows `ospf6_lsa_size()` to be called when as little as 1 byte remains, which means the 2-byte `length` field read at offset 18 goes past the end of the message buffer — the same class of out-of-bounds read the PR is trying to prevent.

Every other receive loop in this file guards with `p + sizeof(struct ospf6_lsa_header) <= OSPF6_MESSAGE_END(oh)` first (see `ospf6_lsack_recv` at line 1694, the two `lsreq` loops at lines 753 and 981). The first condition here should be changed to match that pattern:

`p + sizeof(struct ospf6_lsa_header) <= OSPF6_MESSAGE_END(oh)` before invoking `ospf6_lsa_size()`, followed by the new size check, followed by the existing end-of-buffer check.

This ensures the header can be safely read before inspecting its `length` field.

How can I resolve this? If you propose a fix, please make it concise.

Expand Down
Loading