daemon/client: bound MED location data length

A client could submit `set->med_location` with `data_len` negative or
absurdly large; the subsequent `malloc()`/`memcpy` in the daemon would
either request huge sizes or rely on malloc failure to recover. Reject
obviously invalid lengths at the boundary.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

diff --git a/src/daemon/client.c b/src/daemon/client.c
index ade7ca6bac06f488fe325cfd3bef78ff9e8a3ba0..e17330da2a57d7171035fbbcae173cfe6416fcea 100644 (file)
--- a/src/daemon/client.c
+++ b/src/daemon/client.c
@@ -529,6 +529,12 @@ _client_handle_set_port(struct lldpd *cfg, struct lldpd_port *port,
                            set->med_location->format);
                        return -1;
                }
+               if (set->med_location->data_len < 0 ||
+                   set->med_location->data_len > LLDP_TLV_ORG_OUI_INFO_MAXLEN) {
+                       log_warnx("rpc", "invalid location data length provided: %d",
+                           set->med_location->data_len);
+                       return -1;
+               }
                loc = &port->p_med_location[set->med_location->format - 1];
                free(loc->data);
                memcpy(loc, set->med_location, sizeof(struct lldpd_med_loc));