daemon/lldp: reject zero-length management address

A neighbor sending a Management Address TLV with addr_str_length == 0
caused `addr_length` to underflow and `addr_str_buffer[0]` (the address
family byte) to be read uninitialized.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

diff --git a/src/daemon/protocols/lldp.c b/src/daemon/protocols/lldp.c
index 6e732373955d974e3fcfb323e81d10885909a27d..2b5422acd7f0bd1fdfc96353e7d68314133ef409 100644 (file)
--- a/src/daemon/protocols/lldp.c
+++ b/src/daemon/protocols/lldp.c
@@ -796,8 +796,10 @@ lldp_decode(struct lldpd *cfg, char *frame, int s, struct lldpd_hardware *hardwa
                case LLDP_TLV_MGMT_ADDR:
                        CHECK_TLV_SIZE(1, "Management address");
                        addr_str_length = PEEK_UINT8;
-                       if (addr_str_length > sizeof(addr_str_buffer)) {
-                               log_warnx("lldp", "too large management address on %s",
+                       if (addr_str_length < 1 ||
+                           addr_str_length > sizeof(addr_str_buffer)) {
+                               log_warnx("lldp",
+                                   "invalid management address length on %s",
                                    hardware->h_ifname);
                                goto malformed;
                        }