Timothy Redaelli
4 years ago
parent
d182a88ae2
commit
74024c5b4e
@ -1,132 +0,0 @@
|
||||
From d0e86f3353677fd9432608c7189928467767a109 Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Bernat <vincent@bernat.ch>
|
||||
Date: Thu, 12 Nov 2020 19:54:50 -0500
|
||||
Subject: [PATCH 1/5] lldp: validate a bit more received LLDP frames
|
||||
|
||||
Upstream commit:
|
||||
commit 3aeae72b97716fddac290634fad02b952d981f17
|
||||
Author: Vincent Bernat <vincent@bernat.ch>
|
||||
Date: Tue, 1 Oct 2019 21:42:42 +0200
|
||||
|
||||
lldp: validate a bit more received LLDP frames
|
||||
|
||||
Notably, we ensure the order and unicity of Chassis ID, Port ID and
|
||||
TTL TLV. For Chassis ID and Port ID, we also ensure the maximum size
|
||||
does not exceed 256.
|
||||
|
||||
Fix https://github.com/vincentbernat/lldpd/issues/351
|
||||
|
||||
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
|
||||
Signed-off-by: Aaron Conole <aconole@redhat.com>
|
||||
Co-authored-by: Aaron Conole <aconole@redhat.com>
|
||||
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
|
||||
---
|
||||
lib/lldp/lldp.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 51 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
|
||||
index 74f747fcd..e61ce6774 100644
|
||||
--- a/lib/lldp/lldp.c
|
||||
+++ b/lib/lldp/lldp.c
|
||||
@@ -341,6 +341,12 @@ lldp_send(struct lldpd *global OVS_UNUSED,
|
||||
|
||||
return dp_packet_size(p);
|
||||
}
|
||||
+#define CHECK_TLV_MAX_SIZE(x, name) \
|
||||
+ do { if (tlv_size > (x)) { \
|
||||
+ VLOG_WARN(name " TLV too large received on %s", \
|
||||
+ hardware->h_ifname); \
|
||||
+ goto malformed; \
|
||||
+ } } while (0)
|
||||
|
||||
int
|
||||
lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
|
||||
@@ -359,7 +365,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
|
||||
int length, af;
|
||||
bool gotend = false;
|
||||
bool ttl_received = false;
|
||||
- int tlv_size, tlv_type, tlv_subtype;
|
||||
+ int tlv_size, tlv_type, tlv_subtype, tlv_count = 0;
|
||||
u_int8_t *pos, *tlv;
|
||||
void *b;
|
||||
struct lldpd_aa_isid_vlan_maps_tlv *isid_vlan_map = NULL;
|
||||
@@ -411,6 +417,31 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
|
||||
hardware->h_ifname);
|
||||
goto malformed;
|
||||
}
|
||||
+ /* Check order for mandatory TLVs */
|
||||
+ tlv_count++;
|
||||
+ switch (tlv_type) {
|
||||
+ case LLDP_TLV_CHASSIS_ID:
|
||||
+ if (tlv_count != 1) {
|
||||
+ VLOG_WARN("first TLV should be a chassis ID on %s, not %d",
|
||||
+ hardware->h_ifname, tlv_type);
|
||||
+ goto malformed;
|
||||
+ }
|
||||
+ break;
|
||||
+ case LLDP_TLV_PORT_ID:
|
||||
+ if (tlv_count != 2) {
|
||||
+ VLOG_WARN("second TLV should be a port ID on %s, not %d",
|
||||
+ hardware->h_ifname, tlv_type);
|
||||
+ goto malformed;
|
||||
+ }
|
||||
+ break;
|
||||
+ case LLDP_TLV_TTL:
|
||||
+ if (tlv_count != 3) {
|
||||
+ VLOG_WARN("third TLV should be a TTL on %s, not %d",
|
||||
+ hardware->h_ifname, tlv_type);
|
||||
+ goto malformed;
|
||||
+ }
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
switch (tlv_type) {
|
||||
case LLDP_TLV_END:
|
||||
@@ -428,7 +459,8 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
|
||||
|
||||
case LLDP_TLV_CHASSIS_ID:
|
||||
case LLDP_TLV_PORT_ID:
|
||||
- CHECK_TLV_SIZE(2, "Port Id");
|
||||
+ CHECK_TLV_SIZE(2, "Port/Chassis Id");
|
||||
+ CHECK_TLV_MAX_SIZE(256, "Port/Chassis Id");
|
||||
tlv_subtype = PEEK_UINT8;
|
||||
if (tlv_subtype == 0 || tlv_subtype > 7) {
|
||||
VLOG_WARN("unknown subtype for tlv id received on %s",
|
||||
@@ -438,10 +470,22 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
|
||||
b = xzalloc(tlv_size - 1);
|
||||
PEEK_BYTES(b, tlv_size - 1);
|
||||
if (tlv_type == LLDP_TLV_PORT_ID) {
|
||||
+ if (port->p_id != NULL) {
|
||||
+ VLOG_WARN("Port ID TLV received twice on %s",
|
||||
+ hardware->h_ifname);
|
||||
+ free(b);
|
||||
+ goto malformed;
|
||||
+ }
|
||||
port->p_id_subtype = tlv_subtype;
|
||||
port->p_id = b;
|
||||
port->p_id_len = tlv_size - 1;
|
||||
} else {
|
||||
+ if (chassis->c_id != NULL) {
|
||||
+ VLOG_WARN("Chassis ID TLV received twice on %s",
|
||||
+ hardware->h_ifname);
|
||||
+ free(b);
|
||||
+ goto malformed;
|
||||
+ }
|
||||
chassis->c_id_subtype = tlv_subtype;
|
||||
chassis->c_id = b;
|
||||
chassis->c_id_len = tlv_size - 1;
|
||||
@@ -449,6 +493,11 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
|
||||
break;
|
||||
|
||||
case LLDP_TLV_TTL:
|
||||
+ if (ttl_received) {
|
||||
+ VLOG_WARN("TTL TLV received twice on %s",
|
||||
+ hardware->h_ifname);
|
||||
+ goto malformed;
|
||||
+ }
|
||||
CHECK_TLV_SIZE(2, "TTL");
|
||||
chassis->c_ttl = PEEK_UINT16;
|
||||
ttl_received = true;
|
||||
--
|
||||
2.28.0
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
From 800ce88f52c68e9754d9d9085daf47cf90bb10cf Mon Sep 17 00:00:00 2001
|
||||
From: Jonas Johansson <jonasj76@gmail.com>
|
||||
Date: Thu, 12 Nov 2020 19:54:51 -0500
|
||||
Subject: [PATCH 2/5] lldp: Fix size of PEEK_DISCARD_UINT32()
|
||||
|
||||
Upstream commit:
|
||||
commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
|
||||
Author: Jonas Johansson <jonasj76@gmail.com>
|
||||
Date: Thu, 21 Apr 2016 11:50:06 +0200
|
||||
|
||||
Fix size of PEEK_DISCARD_UINT32()
|
||||
|
||||
Signed-off-by: Jonas Johansson <jonasj76@gmail.com>
|
||||
|
||||
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
|
||||
Reported-by: Jonas Rudloff <jonas.t.rudloff@gmail.com>
|
||||
Reported-at: https://github.com/openvswitch/ovs/pull/336
|
||||
Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
|
||||
Acked-by: Aaron Conole <aconole@redhat.com>
|
||||
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
|
||||
---
|
||||
lib/lldp/lldp.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
|
||||
index e61ce6774..593c5e1c3 100644
|
||||
--- a/lib/lldp/lldp.c
|
||||
+++ b/lib/lldp/lldp.c
|
||||
@@ -59,7 +59,7 @@ VLOG_DEFINE_THIS_MODULE(lldp);
|
||||
} while (0)
|
||||
#define PEEK_DISCARD_UINT8 PEEK_DISCARD(1)
|
||||
#define PEEK_DISCARD_UINT16 PEEK_DISCARD(2)
|
||||
-#define PEEK_DISCARD_UINT32 PEEK_DISCARD(3)
|
||||
+#define PEEK_DISCARD_UINT32 PEEK_DISCARD(4)
|
||||
#define PEEK_CMP(value, bytes) \
|
||||
(length -= (bytes), \
|
||||
pos += (bytes), \
|
||||
--
|
||||
2.28.0
|
||||
|
||||
@ -1,58 +0,0 @@
|
||||
From ec51fc90669e5fe1a2096581296d55b3acda6711 Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Bernat <vincent@bernat.im>
|
||||
Date: Thu, 12 Nov 2020 19:54:52 -0500
|
||||
Subject: [PATCH 3/5] lldp: fix a buffer overflow when handling management
|
||||
address TLV
|
||||
|
||||
Upstream commit:
|
||||
commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
|
||||
Author: Vincent Bernat <vincent@bernat.im>
|
||||
Date: Sun, 4 Oct 2015 01:50:38 +0200
|
||||
|
||||
lldp: fix a buffer overflow when handling management address TLV
|
||||
|
||||
When a remote device was advertising a too large management address
|
||||
while still respecting TLV boundaries, lldpd would crash due to a buffer
|
||||
overflow. However, the buffer being a static one, this buffer overflow
|
||||
is not exploitable if hardening was not disabled. This bug exists since
|
||||
version 0.5.6.
|
||||
|
||||
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
|
||||
Reported-by: Jonas Rudloff <jonas.t.rudloff@gmail.com>
|
||||
Reported-at: https://github.com/openvswitch/ovs/pull/335
|
||||
Co-authored-by: Fabrizio D'Angelo <fdangelo@redhat.com>
|
||||
Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
|
||||
Acked-by: Aaron Conole <aconole@redhat.com>
|
||||
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
|
||||
---
|
||||
lib/lldp/lldp.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
|
||||
index 593c5e1c3..628d0f863 100644
|
||||
--- a/lib/lldp/lldp.c
|
||||
+++ b/lib/lldp/lldp.c
|
||||
@@ -530,6 +530,11 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
|
||||
case LLDP_TLV_MGMT_ADDR:
|
||||
CHECK_TLV_SIZE(1, "Management address");
|
||||
addr_str_length = PEEK_UINT8;
|
||||
+ if (addr_str_length > sizeof(addr_str_buffer)) {
|
||||
+ VLOG_WARN("too large management address on %s",
|
||||
+ hardware->h_ifname);
|
||||
+ goto malformed;
|
||||
+ }
|
||||
CHECK_TLV_SIZE(1 + addr_str_length, "Management address");
|
||||
PEEK_BYTES(addr_str_buffer, addr_str_length);
|
||||
addr_length = addr_str_length - 1;
|
||||
@@ -554,7 +559,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
|
||||
break;
|
||||
|
||||
case LLDP_TLV_ORG:
|
||||
- CHECK_TLV_SIZE(4, "Organisational");
|
||||
+ CHECK_TLV_SIZE(1 + sizeof orgid, "Organisational");
|
||||
PEEK_BYTES(orgid, sizeof orgid);
|
||||
tlv_subtype = PEEK_UINT8;
|
||||
if (memcmp(dot1, orgid, sizeof orgid) == 0) {
|
||||
--
|
||||
2.28.0
|
||||
|
||||
@ -1,37 +0,0 @@
|
||||
From d9140c3fd0bcba05a9e33fc7b1e042b86e31ae37 Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Bernat <vincent@bernat.ch>
|
||||
Date: Thu, 12 Nov 2020 19:54:53 -0500
|
||||
Subject: [PATCH 4/5] lldp: increase statsTLVsUnrecognizedTotal on unknown TLV
|
||||
|
||||
Upstream commit:
|
||||
commit 109bcd423cd560545ec7940d73a50c5584aebb0c
|
||||
Author: Vincent Bernat <vincent@bernat.ch>
|
||||
Date: Sat, 6 Apr 2019 21:17:25 +0200
|
||||
|
||||
This was done for organization TLVs, but not for other TLVs.
|
||||
|
||||
Fix https://github.com/vincentbernat/lldpd/issues/323
|
||||
|
||||
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
|
||||
Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
|
||||
Acked-by: Aaron Conole <aconole@redhat.com>
|
||||
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
|
||||
---
|
||||
lib/lldp/lldp.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
|
||||
index 628d0f863..e5755307f 100644
|
||||
--- a/lib/lldp/lldp.c
|
||||
+++ b/lib/lldp/lldp.c
|
||||
@@ -679,6 +679,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
|
||||
VLOG_WARN("unknown tlv (%d) received on %s",
|
||||
tlv_type,
|
||||
hardware->h_ifname);
|
||||
+ hardware->h_rx_unrecognized_cnt++;
|
||||
goto malformed;
|
||||
}
|
||||
if (pos > tlv + tlv_size) {
|
||||
--
|
||||
2.28.0
|
||||
|
||||
@ -1,48 +0,0 @@
|
||||
From 45fd5e7ea1a63a62b70fdf05de782c31222696ad Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Bernat <vincent@bernat.im>
|
||||
Date: Thu, 12 Nov 2020 19:54:54 -0500
|
||||
Subject: [PATCH 5/5] lldp: correctly increase discarded count
|
||||
|
||||
Upstream commit:
|
||||
commit 32f0deeebc9172c3f5f4a4d02aab32e6904947f6
|
||||
Date: Sat, 18 Feb 2017 20:11:47 +0100
|
||||
|
||||
lldpd: correctly increase discarded count
|
||||
|
||||
When a frame cannot be decoded but has been guessed, increase the
|
||||
discarded count.
|
||||
|
||||
Fix https://github.com/vincentbernat/lldpd/issues/223
|
||||
|
||||
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
|
||||
Co-authored-by: Fabrizio D'Angelo <fdangelo@redhat.com>
|
||||
Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
|
||||
Acked-by: Aaron Conole <aconole@redhat.com>
|
||||
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
|
||||
---
|
||||
lib/lldp/lldpd.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/lib/lldp/lldpd.c b/lib/lldp/lldpd.c
|
||||
index 19e930526..34738535d 100644
|
||||
--- a/lib/lldp/lldpd.c
|
||||
+++ b/lib/lldp/lldpd.c
|
||||
@@ -244,6 +244,7 @@ lldpd_decode(struct lldpd *cfg, char *frame, int s,
|
||||
|
||||
if (s < sizeof(struct eth_header) + 4) {
|
||||
/* Too short, just discard it */
|
||||
+ hw->h_rx_discarded_cnt++;
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -284,6 +285,7 @@ lldpd_decode(struct lldpd *cfg, char *frame, int s,
|
||||
VLOG_DBG("function for %s protocol did not "
|
||||
"decode this frame",
|
||||
cfg->g_protocols[i].name);
|
||||
+ hw->h_rx_discarded_cnt++;
|
||||
return;
|
||||
}
|
||||
chassis->c_protocol = port->p_protocol = cfg->g_protocols[i].mode;
|
||||
--
|
||||
2.28.0
|
||||
|
||||
@ -1 +1 @@
|
||||
SHA512 (openvswitch-2.14.0.tar.gz) = 5fe377f9b2857e238e3d40e4452e8b36c80283230f1d0f4b983324532beba725913da817e545c8d7630762f170bb5b0dfe810fd1b8b559994d5eae828beb8ec1
|
||||
SHA512 (openvswitch-2.15.0.tar.gz) = a4e49268d6dd7d9d8fbf2005e8ffe45ede0998d21c98d7018474142656c65c05b14c8a7e4c7d8e0eea36e28d87550826225205e1fa03055d35a8cb048617c832
|
||||
|
||||
Loading…
Reference in new issue