From patchwork Mon Oct 26 20:57:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabrizio D'Angelo X-Patchwork-Id: 1388099 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DJojxA7P; dkim-atps=neutral Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CKnGv1qYTz9sT6 for ; Tue, 27 Oct 2020 07:57:58 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 9320D85FA3; Mon, 26 Oct 2020 20:57:56 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id esLHlHGzuREK; Mon, 26 Oct 2020 20:57:55 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by fraxinus.osuosl.org (Postfix) with ESMTP id A72C185EFB; Mon, 26 Oct 2020 20:57:55 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7DF25C1AD7; Mon, 26 Oct 2020 20:57:55 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 8A4D6C0051 for ; Mon, 26 Oct 2020 20:57:53 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 79CCA85EC4 for ; Mon, 26 Oct 2020 20:57:53 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-F85MJ8noBL for ; Mon, 26 Oct 2020 20:57:52 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by fraxinus.osuosl.org (Postfix) with ESMTPS id C6DC585EE9 for ; Mon, 26 Oct 2020 20:57:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1603745871; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6i7HOGwC+M8gTwKWVs2hYJjMvyOv9fi36UTVrOscy8w=; b=DJojxA7Pl2qPHPWdjp06Vw8dxaHLYv/kfQncpGS+iaVKbWZw6w9Ggwt/gi1uoX21pO5/za tc5NxSLFFWyBVfnoKh2GyWyM7yJgnwx8nsL6o4r/+SK74qtTHJafXovkTnNJ6uBQoY48YL OSkVy88AEC/WzUkKbgJ2fJkK12S7Yng= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-177-qRSQ5AbDOy2L2x3DZeSWuw-1; Mon, 26 Oct 2020 16:57:49 -0400 X-MC-Unique: qRSQ5AbDOy2L2x3DZeSWuw-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B78081006C93; Mon, 26 Oct 2020 20:57:48 +0000 (UTC) Received: from ibm-p8-kvm-05-fsp.mgmt.pnr.lab.eng.rdu2.redhat.com (ovpn-118-108.rdu2.redhat.com [10.10.118.108]) by smtp.corp.redhat.com (Postfix) with ESMTP id DBC1A55762; Mon, 26 Oct 2020 20:57:47 +0000 (UTC) From: Fabrizio D'Angelo To: dev@openvswitch.org Date: Mon, 26 Oct 2020 16:57:40 -0400 Message-Id: <20201026205745.56604-2-fdangelo@redhat.com> In-Reply-To: <20201026205745.56604-1-fdangelo@redhat.com> References: <20201026205745.56604-1-fdangelo@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=fdangelo@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: Jonas Rudloff , Ilya Maximets Subject: [ovs-dev] [PATCH 1/6] lldp: validate a bit more received LLDP frames X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Aaron Conole From: Vincent Bernat Upstream commit: commit 3aeae72b97716fddac290634fad02b952d981f17 Author: Vincent Bernat Date: Tue, 1 Oct 2019 21:42:42 +0200 lldp: validate a bit more received LLDP frames Notably, we ensure the order and unicity of Chassis ID, Port ID and TTL TLV. For Chassis ID and Port ID, we also ensure the maximum size does not exceed 256. Fix https://github.com/vincentbernat/lldpd/issues/351 Signed-off-by: Aaron Conole Co-authored-by: Aaron Conole Signed-off-by: Vincent Bernat --- lib/lldp/lldp.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 51 insertions(+), 2 deletions(-) diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c index 74f747fcdc..e61ce67746 100644 --- a/lib/lldp/lldp.c +++ b/lib/lldp/lldp.c @@ -341,6 +341,12 @@ lldp_send(struct lldpd *global OVS_UNUSED, return dp_packet_size(p); } +#define CHECK_TLV_MAX_SIZE(x, name) \ + do { if (tlv_size > (x)) { \ + VLOG_WARN(name " TLV too large received on %s", \ + hardware->h_ifname); \ + goto malformed; \ + } } while (0) int lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, @@ -359,7 +365,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, int length, af; bool gotend = false; bool ttl_received = false; - int tlv_size, tlv_type, tlv_subtype; + int tlv_size, tlv_type, tlv_subtype, tlv_count = 0; u_int8_t *pos, *tlv; void *b; struct lldpd_aa_isid_vlan_maps_tlv *isid_vlan_map = NULL; @@ -411,6 +417,31 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, hardware->h_ifname); goto malformed; } + /* Check order for mandatory TLVs */ + tlv_count++; + switch (tlv_type) { + case LLDP_TLV_CHASSIS_ID: + if (tlv_count != 1) { + VLOG_WARN("first TLV should be a chassis ID on %s, not %d", + hardware->h_ifname, tlv_type); + goto malformed; + } + break; + case LLDP_TLV_PORT_ID: + if (tlv_count != 2) { + VLOG_WARN("second TLV should be a port ID on %s, not %d", + hardware->h_ifname, tlv_type); + goto malformed; + } + break; + case LLDP_TLV_TTL: + if (tlv_count != 3) { + VLOG_WARN("third TLV should be a TTL on %s, not %d", + hardware->h_ifname, tlv_type); + goto malformed; + } + break; + } switch (tlv_type) { case LLDP_TLV_END: @@ -428,7 +459,8 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, case LLDP_TLV_CHASSIS_ID: case LLDP_TLV_PORT_ID: - CHECK_TLV_SIZE(2, "Port Id"); + CHECK_TLV_SIZE(2, "Port/Chassis Id"); + CHECK_TLV_MAX_SIZE(256, "Port/Chassis Id"); tlv_subtype = PEEK_UINT8; if (tlv_subtype == 0 || tlv_subtype > 7) { VLOG_WARN("unknown subtype for tlv id received on %s", @@ -438,10 +470,22 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, b = xzalloc(tlv_size - 1); PEEK_BYTES(b, tlv_size - 1); if (tlv_type == LLDP_TLV_PORT_ID) { + if (port->p_id != NULL) { + VLOG_WARN("Port ID TLV received twice on %s", + hardware->h_ifname); + free(b); + goto malformed; + } port->p_id_subtype = tlv_subtype; port->p_id = b; port->p_id_len = tlv_size - 1; } else { + if (chassis->c_id != NULL) { + VLOG_WARN("Chassis ID TLV received twice on %s", + hardware->h_ifname); + free(b); + goto malformed; + } chassis->c_id_subtype = tlv_subtype; chassis->c_id = b; chassis->c_id_len = tlv_size - 1; @@ -449,6 +493,11 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, break; case LLDP_TLV_TTL: + if (ttl_received) { + VLOG_WARN("TTL TLV received twice on %s", + hardware->h_ifname); + goto malformed; + } CHECK_TLV_SIZE(2, "TTL"); chassis->c_ttl = PEEK_UINT16; ttl_received = true;