From f2c7d03598930621eec7d5b6482fded2f42cfc6a Mon Sep 17 00:00:00 2001 From: claudio Date: Tue, 5 May 2026 11:40:02 +0000 Subject: [PATCH] Ensure that alt_len includes at least the size of alt.family member to ensure that the parser is not going off the rails. OK renato@ --- usr.sbin/ldpd/address.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/ldpd/address.c b/usr.sbin/ldpd/address.c index 354797eb9aa..76c0b1a4665 100644 --- a/usr.sbin/ldpd/address.c +++ b/usr.sbin/ldpd/address.c @@ -1,4 +1,4 @@ -/* $OpenBSD: address.c,v 1.35 2017/03/04 00:21:48 renato Exp $ */ +/* $OpenBSD: address.c,v 1.36 2026/05/05 11:40:02 claudio Exp $ */ /* * Copyright (c) 2009 Michele Marchetto @@ -208,7 +208,7 @@ recv_address(struct nbr *nbr, char *buf, uint16_t len) memcpy(&alt, buf, sizeof(alt)); alt_len = ntohs(alt.length); alt_family = ntohs(alt.family); - if (alt_len > len - TLV_HDR_SIZE) { + if (alt_len < sizeof(alt.family) || alt_len > len - TLV_HDR_SIZE) { session_shutdown(nbr, S_BAD_TLV_LEN, msg.id, msg.type); return (-1); }