]> git.ipfire.org Git - thirdparty/lldpd.git/commit
projects / thirdparty / lldpd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7b40322) | patch
Fix heap OOB read in VLAN decapsulation memmove
authorTristanInSec <tristan.mtn@gmail.com>
Tue, 12 May 2026 10:01:57 +0000 (06:01 -0400)
committerVincent Bernat <vincent@bernat.ch>
Tue, 12 May 2026 12:28:19 +0000 (14:28 +0200)
commitca931be63a9cae0fcd8e9b6ae4e916d49f141cd6
treeb936b282ac5e4806520e8cfa742573a6faef0134tree | snapshot
parent7b40322ae6910ea1bc2d76d50914ebcf37f64cf8commit | diff
Fix heap OOB read in VLAN decapsulation memmove

In lldpd_decode(), the VLAN decapsulation memmove shifts frame data
4 bytes left starting at offset 2*ETHER_ADDR_LEN.  The source pointer
is correctly offset by +4, but the length argument uses the full
remaining frame length (s - 2*ETHER_ADDR_LEN) instead of accounting
for the 4-byte shift (s - 2*ETHER_ADDR_LEN - 4).

When the received frame fills the hardware MTU allocation exactly,
the memmove reads 4 bytes past the end of the heap buffer.
src/daemon/lldpd.c diff | blob | blame | history
Link Layer Discovery Protocol from http://github.com/vincentbernat/lldpd