OSPF6D-001 — OpenBSD ospf6d: incorrect length arithmetic in lsa_check() allows oversized LSA to reach lsa_get_prefix()
Operator-precedence error in an OSPFv3 LSA parser allows a pre-authentication, link-local DoS.
Independent Security Research — Whitby, North Yorkshire, United Kingdom
1. Summary
A missing set of parentheses in the length calculation inside lsa_check() for LSA_TYPE_INTER_A_PREFIX caused the wrong (too large) length value to be passed to lsa_get_prefix(). A remote, unauthenticated attacker on the same OSPFv3 broadcast domain could send a crafted Link State Advertisement packet to trigger the condition, potentially causing ospf6d to process out-of-bounds data and crash.
2. Technical detail
File: usr.sbin/ospf6d/rde_lsdb.c, function lsa_check().
The vulnerable calculation (pre-fix):
lsa_get_prefix(..., len - sizeof(lsa->hdr) + sizeof(lsa->data.pref_sum))Due to C operator precedence, this evaluates as:
(len - sizeof(lsa->hdr)) + sizeof(lsa->data.pref_sum)which produces a value larger than the actual remaining packet length. The fix adds parentheses to ensure both sizeof expressions are summed before subtracting from len:
lsa_get_prefix(..., len - (sizeof(lsa->hdr) + sizeof(lsa->data.pref_sum)))This is a classic operator-precedence arithmetic error in a network parser. ospf6d runs as a non-root daemon but listens on the network without authentication at the link layer.
3. Affected versions
- OpenBSD 7.8 and earlier releases shipping
ospf6d. - OpenBSD -current prior to commit
8d24b51(2026-05-19).
4. Fix
Fixed in OpenBSD -current, commit 8d24b51, by Claudio Jeker (cjeker@), 2026-05-19. Approved by tb@ and deraadt@.
Commit message:
github.com/openbsd/src/commit/8d24b51
5. Timeline
| Date | Event |
|---|---|
| 2026-05-18 | Reported to bugs@openbsd.org |
| 2026-05-19 | Fixed in -current by Claudio Jeker. Reply: “Fixed in -current. Thanks for the report.” |
| 2026-05-21 | This disclosure published. |
6. Credit
Found independently by Stuart Thomas during a source-code audit of OpenBSD network daemons. Acknowledged in commit 8d24b51: “Reported by Stuart Thomas OK tb@ deraadt@”.
Legal note
This disclosure is published under the Defamation Act 2013 facts-and-opinion convention. Statements of fact — commit hashes, dates, vendor responses, code excerpts — are accurate to the best of the author’s knowledge and are evidenced by the OpenBSD CVS commit log, the public bugs@openbsd.org mailing-list archive, and the author’s contemporaneous correspondence with the OpenBSD project. Where any fact has been described inaccurately, the author will correct it; please email stuartpaulthomas@gmail.com.
The OpenBSD project is named as the publicly-accountable maintainer of the affected software. Individual developers (Claudio Jeker, Martijn van Duren, Theo de Raadt and others) are named only in their public capacity as committers and maintainers, and only in connection with their own public commits. They are characterised, where mentioned, as professional and prompt; this is the author’s honest experience of them.
The research was conducted on hardware owned by the author. No third-party systems were accessed in the course of the research. The work was performed within the scope permitted by the Computer Misuse Act 1990 (England and Wales) own-hardware exemption.
Coordinated disclosure of vulnerabilities in network-facing software is a matter of legitimate public interest under s.4 of the Defamation Act 2013. This disclosure is published in good faith on that basis.