From d8d77d3733bc299ed5dd7b44c4d464ba2bfed288 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Wed, 20 Jul 2022 16:43:17 -0400
Subject: [PATCH] ospfclient: Ensure ospf_apiclient_lsa_originate cannot
 accidently write into stack

Even though OSPF_MAX_LSA_SIZE is quite large and holds the upper bound
on what can be written into a lsa, let's add a small check to ensure
it is not possible to do a bad thing.

This wins one of the long standing bug awards.  2003!

Fixes: #11602
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
 ospfclient/ospf_apiclient.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ospfclient/ospf_apiclient.c b/ospfclient/ospf_apiclient.c
index 29f1c0807db4..51c8a5b8c065 100644
--- a/ospfclient/ospf_apiclient.c
+++ b/ospfclient/ospf_apiclient.c
@@ -447,6 +447,12 @@ int ospf_apiclient_lsa_originate(struct ospf_apiclient *oclient,
 		return OSPF_API_ILLEGALLSATYPE;
 	}
 
+	if ((size_t)opaquelen > sizeof(buf) - sizeof(struct lsa_header)) {
+		fprintf(stderr, "opaquelen(%d) is larger than buf size %zu\n",
+			opaquelen, sizeof(buf));
+		return OSPF_API_NOMEMORY;
+	}
+
 	/* Make a new LSA from parameters */
 	lsah = (struct lsa_header *)buf;
 	lsah->ls_age = 0;