Hello! I recently tested the OSPF protocol implementation with AFL fuzzer and found some problem, that causes invalid memory read. https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L463 The problem is that 'plen' may be less than 'hlen'. And if this happens, then 'blen' will wraps around: if (ospf_is_v2(p) && (pkt->autype != OSPF_AUTH_CRYPT)) { uint hlen = sizeof(struct ospf_packet) + sizeof(union ospf_auth2); uint blen = plen - hlen; void *body = ((void *) pkt) + hlen; if (!ipsum_verify(pkt, sizeof(struct ospf_packet), body, blen, NULL)) DROP("invalid checksum", ntohs(pkt->checksum)); } 'plen' declared here: https://gitlab.labs.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L443 uint plen = ntohs(pkt->length); if ((plen < sizeof(struct ospf_packet)) || ((plen % 4) != 0)) DROP("invalid length", plen); -- Best regards, Slava Aseev