OSPFD-001 — OpenBSD ospfd: missing minimum-length check on embedded lsa.len allows malformed LSU packet to corrupt routing state
Length-prefixed binary parser fails to validate the inner length before trusting it — standard defence missing.
Independent Security Research — Whitby, North Yorkshire, United Kingdom
1. Summary
The recv_ls_update() function in ospfd’s LSU (Link State Update) packet handler validated that a received packet was large enough to contain the declared lsa.len bytes, but did not first verify that lsa.len was itself at least sizeof(struct lsa). An attacker on the same OSPFv2 broadcast domain could send a crafted LS Update packet with an artificially small lsa.len value, causing the daemon to operate on an undersized LSA structure and potentially corrupt its routing-table state.
2. Technical detail
File: usr.sbin/ospfd/lsupdate.c, function recv_ls_update().
Pre-fix, the only guard was:
if (len < ntohs(lsa.len)) { ... }This confirmed the wire data was long enough, but if lsa.len was set to a value smaller than sizeof(struct lsa), subsequent struct-field accesses would read garbage or attacker-controlled data as routing metadata.
The fix inserts a prior check:
if (ntohs(lsa.len) < sizeof(lsa) ||
len < ntohs(lsa.len)) { ... }This pattern — validate the declared length is at least as large as the struct before trusting any field within it — is the standard defence for length-prefixed binary protocol parsers.
OSPFv2 operates at the link layer without cryptographic authentication in default configurations, making this reachable by any host on the same broadcast segment.
3. Affected versions
- OpenBSD 7.8 and earlier releases shipping
ospfd. - OpenBSD -current prior to commit
8b667af(2026-05-19).
4. Fix
Fixed in OpenBSD -current, commit 8b667af, by Claudio Jeker (cjeker@), 2026-05-19. Approved by tb@ and deraadt@.
github.com/openbsd/src/commit/8b667af
5. Timeline
| Date | Event |
|---|---|
| 2026-05-18 | Reported to bugs@openbsd.org |
| 2026-05-19 | Fixed in -current (same day as OSPF6D-001, same author). |
| 2026-05-21 | This disclosure published. |
6. Credit
Found independently by Stuart Thomas during a source-code audit of OpenBSD network daemons.
Legal note
This disclosure is published under the Defamation Act 2013 facts-and-opinion convention. Statements of fact — commit hashes, dates, vendor responses, code excerpts — are accurate to the best of the author’s knowledge and are evidenced by the OpenBSD CVS commit log, the public bugs@openbsd.org mailing-list archive, and the author’s contemporaneous correspondence with the OpenBSD project. Where any fact has been described inaccurately, the author will correct it; please email stuartpaulthomas@gmail.com.
The OpenBSD project is named as the publicly-accountable maintainer of the affected software. Individual developers (Claudio Jeker, Martijn van Duren, Theo de Raadt and others) are named only in their public capacity as committers and maintainers, and only in connection with their own public commits. They are characterised, where mentioned, as professional and prompt; this is the author’s honest experience of them.
The research was conducted on hardware owned by the author. No third-party systems were accessed in the course of the research. The work was performed within the scope permitted by the Computer Misuse Act 1990 (England and Wales) own-hardware exemption.
Coordinated disclosure of vulnerabilities in network-facing software is a matter of legitimate public interest under s.4 of the Defamation Act 2013. This disclosure is published in good faith on that basis.