diff mbox series

[ovs-dev,v4,3/6] lldp: fix a buffer overflow when handling management address TLV

Message ID 20201113005455.310828-4-fdangelo@redhat.com
State Accepted
Headers show
Series Incorporate fixes from lldpd upstream | expand

Commit Message

Fabrizio D'Angelo Nov. 13, 2020, 12:54 a.m. UTC 
From: Vincent Bernat <vincent@bernat.im>

Upstream commit:
	commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
	Author: Vincent Bernat <vincent@bernat.im>
	Date: Sun, 4 Oct 2015 01:50:38 +0200

	lldp: fix a buffer overflow when handling management address TLV

	When a remote device was advertising a too large management address
	while still respecting TLV boundaries, lldpd would crash due to a buffer
	overflow. However, the buffer being a static one, this buffer overflow
	is not exploitable if hardening was not disabled. This bug exists since
	version 0.5.6.

Co-authored-by: Fabrizio D'Angelo <fdangelo@redhat.com>
Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
---
 lib/lldp/lldp.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Comments

0-day Robot Nov. 13, 2020, 2:06 a.m. UTC | #1 
Bleep bloop.  Greetings Fabrizio D'Angelo, I am a robot and I have tried out your patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.


checkpatch:
ERROR: Author Vincent Bernat <vincent@bernat.im> needs to sign off.
Lines checked: 53, Warnings: 0, Errors: 1


Please check this out.  If you feel there has been an error, please email aconole@redhat.com

Thanks,
0-day Robot
diff mbox series

Patch

diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
index 593c5e1c3..5c9d34007 100644
--- a/lib/lldp/lldp.c
+++ b/lib/lldp/lldp.c
@@ -530,6 +530,11 @@  lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
         case LLDP_TLV_MGMT_ADDR:
             CHECK_TLV_SIZE(1, "Management address");
             addr_str_length = PEEK_UINT8;
+            if (addr_str_length > sizeof(addr_str_buffer)) {
+                VLOG_WARN("too large management address on %s",
+                          hardware->h_ifname);
+                goto malformed;
+            }
             CHECK_TLV_SIZE(1 + addr_str_length, "Management address");
             PEEK_BYTES(addr_str_buffer, addr_str_length);
             addr_length = addr_str_length - 1;
@@ -554,7 +559,7 @@  lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
             break;
 
         case LLDP_TLV_ORG:
-            CHECK_TLV_SIZE(4, "Organisational");
+            CHECK_TLV_SIZE(1 + (int)sizeof(orgid), "Organisational");
             PEEK_BYTES(orgid, sizeof orgid);
             tlv_subtype = PEEK_UINT8;
             if (memcmp(dot1, orgid, sizeof orgid) == 0) {