From: Vincent Bernat Date: Sat, 3 Oct 2015 23:50:38 +0000 (+0200) Subject: lldp: fix a buffer overflow when handling management address TLV X-Git-Tag: 0.8.0~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dd4f16e7e816f2165fba76e3d162cd8d2978dcb2;p=thirdparty%2Flldpd.git lldp: fix a buffer overflow when handling management address TLV When a remote device was advertising a too large management address while still respecting TLV boundaries, lldpd would crash due to a buffer overflow. However, the buffer being a static one, this buffer overflow is not exploitable if hardening was not disabled. This bug exists since version 0.5.6. --- diff --git a/src/daemon/protocols/lldp.c b/src/daemon/protocols/lldp.c index b78e3a04..431b22fd 100644 --- a/src/daemon/protocols/lldp.c +++ b/src/daemon/protocols/lldp.c @@ -726,6 +726,11 @@ lldp_decode(struct lldpd *cfg, char *frame, int s, case LLDP_TLV_MGMT_ADDR: CHECK_TLV_SIZE(1, "Management address"); addr_str_length = PEEK_UINT8; + if (addr_str_length > sizeof(addr_str_buffer)) { + log_warnx("lldp", "too large management address on %s", + hardware->h_ifname); + goto malformed; + } CHECK_TLV_SIZE(1 + addr_str_length, "Management address"); PEEK_BYTES(addr_str_buffer, addr_str_length); addr_length = addr_str_length - 1; @@ -734,7 +739,7 @@ lldp_decode(struct lldpd *cfg, char *frame, int s, CHECK_TLV_SIZE(1 + addr_str_length + 5, "Management address"); iface_subtype = PEEK_UINT8; iface_number = PEEK_UINT32; - + af = lldpd_af_from_lldp_proto(addr_family); if (af == LLDPD_AF_UNSPEC) break; @@ -752,7 +757,7 @@ lldp_decode(struct lldpd *cfg, char *frame, int s, TAILQ_INSERT_TAIL(&chassis->c_mgmt, mgmt, m_entries); break; case LLDP_TLV_ORG: - CHECK_TLV_SIZE(4, "Organisational"); + CHECK_TLV_SIZE(1 + (int)sizeof(orgid), "Organisational"); PEEK_BYTES(orgid, sizeof(orgid)); tlv_subtype = PEEK_UINT8; if (memcmp(dot1, orgid, sizeof(orgid)) == 0) {