From: Vincent Bernat <vincent@bernat.im>
Date: Sat, 17 Jan 2015 14:49:21 +0000 (+0100)
Subject: lldp: fix boundary checks when decoding LLDP management address
X-Git-Tag: 0.7.14~48
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=feed548d366d5310e357e0694fffd50f042e31c9;p=thirdparty%2Flldpd.git

lldp: fix boundary checks when decoding LLDP management address
---

diff --git a/src/daemon/lldp.c b/src/daemon/lldp.c
index 5b0e4771..7dcfabf2 100644
--- a/src/daemon/lldp.c
+++ b/src/daemon/lldp.c
@@ -703,12 +703,12 @@ lldp_decode(struct lldpd *cfg, char *frame, int s,
 		case LLDP_TLV_MGMT_ADDR:
 			CHECK_TLV_SIZE(1, "Management address");
 			addr_str_length = PEEK_UINT8;
-			CHECK_TLV_SIZE(addr_str_length, "Management address");
+			CHECK_TLV_SIZE(1 + addr_str_length, "Management address");
 			PEEK_BYTES(addr_str_buffer, addr_str_length);
 			addr_length = addr_str_length - 1;
 			addr_family = addr_str_buffer[0];
 			addr_ptr = &addr_str_buffer[1];
-			CHECK_TLV_SIZE(5, "Management address");
+			CHECK_TLV_SIZE(1 + addr_str_length + 5, "Management address");
 			iface_subtype = PEEK_UINT8;
 			iface_number = PEEK_UINT32;