Skip to content

print-ospf: guard RI LSA TLV length before subtraction#1441

Open
TristanInSec wants to merge 1 commit into
the-tcpdump-group:masterfrom
TristanInSec:fix/ospf-ri-lsa-underflow
Open

print-ospf: guard RI LSA TLV length before subtraction#1441
TristanInSec wants to merge 1 commit into
the-tcpdump-group:masterfrom
TristanInSec:fix/ospf-ri-lsa-underflow

Conversation

@TristanInSec

@TristanInSec TristanInSec commented May 28, 2026

Copy link
Copy Markdown

The RI LSA TLV dispatch passes tlv_length - 4 to
ospf_print_ri_lsa_sid_label_range_tlv() for TLV types 9 (SID/Label
Range) and 14 (SR Local Block) without checking tlv_length >= 4.

When tlv_length is 0–3, the unsigned subtraction wraps to a large
value, causing the callee's while (tlv_length != 0) loop to read
past the TLV boundary into adjacent packet data.

The fix adds a tlv_length < 4 guard that prints a bogus-length
diagnostic and returns, consistent with other TLV handlers in the
same function (e.g. lines 818/847).

Found by manual audit of commit 9ec6904.

@TristanInSec
OSPF: Add minimum length check for SID/Label Range and SR Local Block…
58eac9c 
… TLVs

The RI LSA parser passes tlv_length - 4 to
ospf_print_ri_lsa_sid_label_range_tlv() without first checking that
tlv_length >= 4. When tlv_length is 0-3, the unsigned subtraction wraps
to a large value, causing the called function's while loop to read past
the TLV boundary.

Add a minimum length check before the subtraction, consistent with
other RI LSA TLV handlers that already guard their subtractions
(e.g., lines 818 and 847 check tlv_length > 12).

Signed-off-by: Tristan <tristan@talencesecurity.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TristanInSec