From ec51fc90669e5fe1a2096581296d55b3acda6711 Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Thu, 12 Nov 2020 19:54:52 -0500 Subject: [PATCH 3/5] lldp: fix a buffer overflow when handling management address TLV Upstream commit: commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b Author: Vincent Bernat Date: Sun, 4 Oct 2015 01:50:38 +0200 lldp: fix a buffer overflow when handling management address TLV When a remote device was advertising a too large management address while still respecting TLV boundaries, lldpd would crash due to a buffer overflow. However, the buffer being a static one, this buffer overflow is not exploitable if hardening was not disabled. This bug exists since version 0.5.6. Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") Reported-by: Jonas Rudloff Reported-at: https://github.com/openvswitch/ovs/pull/335 Co-authored-by: Fabrizio D'Angelo Signed-off-by: Fabrizio D'Angelo Acked-by: Aaron Conole Signed-off-by: Ilya Maximets --- lib/lldp/lldp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c index 593c5e1c3..628d0f863 100644 --- a/lib/lldp/lldp.c +++ b/lib/lldp/lldp.c @@ -530,6 +530,11 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, case LLDP_TLV_MGMT_ADDR: CHECK_TLV_SIZE(1, "Management address"); addr_str_length = PEEK_UINT8; + if (addr_str_length > sizeof(addr_str_buffer)) { + VLOG_WARN("too large management address on %s", + hardware->h_ifname); + goto malformed; + } CHECK_TLV_SIZE(1 + addr_str_length, "Management address"); PEEK_BYTES(addr_str_buffer, addr_str_length); addr_length = addr_str_length - 1; @@ -554,7 +559,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, break; case LLDP_TLV_ORG: - CHECK_TLV_SIZE(4, "Organisational"); + CHECK_TLV_SIZE(1 + sizeof orgid, "Organisational"); PEEK_BYTES(orgid, sizeof orgid); tlv_subtype = PEEK_UINT8; if (memcmp(dot1, orgid, sizeof orgid) == 0) { -- 2.28.0