diff mbox series

[ovs-dev,ADVISORY] CVE-2020-27827: lldp: Externally triggered memory leak.

Message ID f7tczy83j3w.fsf@dhcp-25.97.bos.redhat.com
State Not Applicable
Headers show
Series [ovs-dev,ADVISORY] CVE-2020-27827: lldp: Externally triggered memory leak. | expand

Commit Message

Aaron Conole Jan. 13, 2021, 4:19 p.m. UTC
Description
===========

Multiple versions of Open vSwitch are vulnerable to denial of service
attacks in which crafted LLDP packets could cause memory to be lost
when allocating data to handle specific optional TLVs.  Triggering the
vulnerability requires LLDP processing to be enabled for a specific
port.  Open vSwitch versions before 2.5.x are not vulnerable.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
previously assigned the identifier CVE-2020-27827 to this issue for
the `lldpd` project, and the Open vSwitch project.


Mitigation
==========

For any version of Open vSwitch, preventing LLDP packets from
reaching Open vSwitch mitigates the vulnerability.  We do not recommend
attempting to mitigate the vulnerability this way because of the
following difficulties:

    - Open vSwitch obtains packets before the iptables host firewall,
      so ebtables on the Open vSwitch host cannot ordinarily block the
      vulnerability.

    - If Open vSwitch is configured to receive and transmit LLDP
      messages, the required functionality will need to be disabled
      potentially disrupting the network.

We have found that Open vSwitch is subject to a denial of service
exploit when LLDP processing is enabled on an interface.  By default,
interfaces are not configured to process LLDP messages.


Recommendation
==============

We recommend that users of Open vSwitch apply the included patch, or
upgrade to a known patched version of Open vSwitch.  These include:

* 2.14.1
* 2.13.2
* 2.12.2
* 2.11.5
* 2.10.6
* 2.9.8
* 2.8.10
* 2.7.12
* 2.6.9


Acknowledgments
===============

The Open vSwitch team wishes to thank the reporter:

  Jonas Rudloff <jonas.t.rudloff@gmail.com>

Fix:

The patch to resolve this issue is attached.

Reported-by: Jonas Rudloff <jonas.t.rudloff@gmail.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
---
---
diff mbox series

Patch

diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
index e5755307fb..18afbab9a7 100644
--- a/lib/lldp/lldp.c
+++ b/lib/lldp/lldp.c
@@ -513,10 +513,13 @@  lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
             b = xzalloc(tlv_size + 1);
             PEEK_BYTES(b, tlv_size);
             if (tlv_type == LLDP_TLV_PORT_DESCR) {
+                free(port->p_descr);
                 port->p_descr = b;
             } else if (tlv_type == LLDP_TLV_SYSTEM_NAME) {
+                free(chassis->c_name);
                 chassis->c_name = b;
             } else {
+                free(chassis->c_descr);
                 chassis->c_descr = b;
             }
             break;