From: Vincent Bernat <vincent@bernat.ch>
Date: Sat, 9 May 2026 12:42:19 +0000 (+0200)
Subject: lldpd-structs: bound custom TLV oui_info length
X-Git-Tag: 1.0.22~21
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=779bc1e37acf59d29c3e87f35eef602347234d48;p=thirdparty%2Flldpd.git

lldpd-structs: bound custom TLV oui_info length

oui_info_len is an int from a marshaled client message. Without a
sanity check, a negative or huge value drove malloc()/memcpy().

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---

diff --git a/src/lldpd-structs.c b/src/lldpd-structs.c
index 9088af11..0296e8b7 100644
--- a/src/lldpd-structs.c
+++ b/src/lldpd-structs.c
@@ -101,6 +101,12 @@ lldpd_custom_tlv_add(struct lldpd_port *port, struct lldpd_custom *curr)
 {
 	struct lldpd_custom *custom;
 
+	if (curr->oui_info_len < 0 ||
+	    curr->oui_info_len > LLDP_TLV_ORG_OUI_INFO_MAXLEN) {
+		log_warnx("rpc", "invalid custom TLV info length: %d",
+		    curr->oui_info_len);
+		return;
+	}
 	if ((custom = malloc(sizeof(struct lldpd_custom)))) {
 		memcpy(custom, curr, sizeof(struct lldpd_custom));
 		if ((custom->oui_info = malloc(custom->oui_info_len))) {