lldpd-structs: bound custom TLV oui_info length

oui_info_len is an int from a marshaled client message. Without a
sanity check, a negative or huge value drove malloc()/memcpy().

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

diff --git a/src/lldpd-structs.c b/src/lldpd-structs.c
index 9088af11b21e020546cd0cc30cf1de08f3d4e1f8..0296e8b764d6ae79e6cb0551d9be84d96d6e6e73 100644 (file)
--- a/src/lldpd-structs.c
+++ b/src/lldpd-structs.c
@@ -101,6 +101,12 @@ lldpd_custom_tlv_add(struct lldpd_port *port, struct lldpd_custom *curr)
 {
        struct lldpd_custom *custom;
 
+       if (curr->oui_info_len < 0 ||
+           curr->oui_info_len > LLDP_TLV_ORG_OUI_INFO_MAXLEN) {
+               log_warnx("rpc", "invalid custom TLV info length: %d",
+                   curr->oui_info_len);
+               return;
+       }
        if ((custom = malloc(sizeof(struct lldpd_custom)))) {
                memcpy(custom, curr, sizeof(struct lldpd_custom));
                if ((custom->oui_info = malloc(custom->oui_info_len))) {