rpms
/
openvswitch
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '15cf57cfc2'
${ noResults }
openvswitch/0003-lldp-fix-a-buffer-over...

59 lines
2.4 KiB
Raw Blame History

From ec51fc90669e5fe1a2096581296d55b3acda6711 Mon Sep 17 00:00:00 2001
From: Vincent Bernat <vincent@bernat.im>
Date: Thu, 12 Nov 2020 19:54:52 -0500
Subject: [PATCH 3/5] lldp: fix a buffer overflow when handling management
address TLV
Upstream commit:
commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
Author: Vincent Bernat <vincent@bernat.im>
Date: Sun, 4 Oct 2015 01:50:38 +0200
lldp: fix a buffer overflow when handling management address TLV
When a remote device was advertising a too large management address
while still respecting TLV boundaries, lldpd would crash due to a buffer
overflow. However, the buffer being a static one, this buffer overflow
is not exploitable if hardening was not disabled. This bug exists since
version 0.5.6.
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Reported-by: Jonas Rudloff <jonas.t.rudloff@gmail.com>
Reported-at: https://github.com/openvswitch/ovs/pull/335
Co-authored-by: Fabrizio D'Angelo <fdangelo@redhat.com>
Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
---
lib/lldp/lldp.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
index 593c5e1c3..628d0f863 100644
--- a/lib/lldp/lldp.c
+++ b/lib/lldp/lldp.c
@@ -530,6 +530,11 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
case LLDP_TLV_MGMT_ADDR:
CHECK_TLV_SIZE(1, "Management address");
addr_str_length = PEEK_UINT8;
+ if (addr_str_length > sizeof(addr_str_buffer)) {
+ VLOG_WARN("too large management address on %s",
+ hardware->h_ifname);
+ goto malformed;
+ }
CHECK_TLV_SIZE(1 + addr_str_length, "Management address");
PEEK_BYTES(addr_str_buffer, addr_str_length);
addr_length = addr_str_length - 1;
@@ -554,7 +559,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
break;
case LLDP_TLV_ORG:
- CHECK_TLV_SIZE(4, "Organisational");
+ CHECK_TLV_SIZE(1 + sizeof orgid, "Organisational");
PEEK_BYTES(orgid, sizeof orgid);
tlv_subtype = PEEK_UINT8;
if (memcmp(dot1, orgid, sizeof orgid) == 0) {
--
2.28.0
Reference in new issue View Git Blame Copy Permalink