From e6f12631d562b38463e2ca27c6d6a54c250ef9f4 Mon Sep 17 00:00:00 2001
From: mohammadmseet-hue <mohammadmseet@gmail.com>
Date: Sat, 11 Apr 2026 18:55:14 +0200
Subject: [PATCH] Fix panic on malformed OSPF packets

Validate PacketLength against actual data length in both OSPFv2 and
OSPFv3 DecodeFromBytes before using it as loop bounds. Add bounds
checking in getLSAsv2 and getLSAs before reading LSA headers.

Malformed packets with inflated PacketLength or NumOfLSAs caused index
out of range panics when the parser iterated beyond available data.
---
 layers/ospf.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/layers/ospf.go b/layers/ospf.go
index 4f5473d06..234b3e812 100644
--- a/layers/ospf.go
+++ b/layers/ospf.go
@@ -259,6 +259,9 @@ func getLSAsv2(num uint32, data []byte) ([]LSA, error) {
 	var i uint32 = 0
 	var offset uint32 = 0
 	for ; i < num; i++ {
+		if int(offset+20) > len(data) {
+			return nil, fmt.Errorf("LSAv2 too short at offset %d for LSA header", offset)
+		}
 		lstype := uint16(data[offset+3])
 		lsalength := binary.BigEndian.Uint16(data[offset+18 : offset+20])
 		content, err := extractLSAInformation(lstype, lsalength, data[offset:])
@@ -454,6 +457,9 @@ func getLSAs(num uint32, data []byte) ([]LSA, error) {
 	var i uint32 = 0
 	var offset uint32 = 0
 	for ; i < num; i++ {
+		if int(offset+20) > len(data) {
+			return nil, fmt.Errorf("LSA too short at offset %d for LSA header", offset)
+		}
 		var content interface{}
 		lstype := binary.BigEndian.Uint16(data[offset+2 : offset+4])
 		lsalength := binary.BigEndian.Uint16(data[offset+18 : offset+20])
@@ -495,6 +501,10 @@ func (ospf *OSPFv2) DecodeFromBytes(data []byte, df gopacket.DecodeFeedback) err
 	ospf.AuType = binary.BigEndian.Uint16(data[14:16])
 	ospf.Authentication = binary.BigEndian.Uint64(data[16:24])
 
+	if int(ospf.PacketLength) > len(data) {
+		return fmt.Errorf("OSPF packet length %d exceeds data length %d", ospf.PacketLength, len(data))
+	}
+
 	switch ospf.Type {
 	case OSPFHello:
 		var neighbors []uint32
@@ -592,6 +602,10 @@ func (ospf *OSPFv3) DecodeFromBytes(data []byte, df gopacket.DecodeFeedback) err
 	ospf.Instance = uint8(data[14])
 	ospf.Reserved = uint8(data[15])
 
+	if int(ospf.PacketLength) > len(data) {
+		return fmt.Errorf("OSPF packet length %d exceeds data length %d", ospf.PacketLength, len(data))
+	}
+
 	switch ospf.Type {
 	case OSPFHello:
 		var neighbors []uint32