From: TristanInSec <tristan.mtn@gmail.com>
Date: Tue, 12 May 2026 10:01:57 +0000 (-0400)
Subject: Fix heap OOB read in VLAN decapsulation memmove
X-Git-Tag: 1.0.22~2
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6;p=thirdparty%2Flldpd.git

Fix heap OOB read in VLAN decapsulation memmove

In lldpd_decode(), the VLAN decapsulation memmove shifts frame data
4 bytes left starting at offset 2*ETHER_ADDR_LEN.  The source pointer
is correctly offset by +4, but the length argument uses the full
remaining frame length (s - 2*ETHER_ADDR_LEN) instead of accounting
for the 4-byte shift (s - 2*ETHER_ADDR_LEN - 4).

When the received frame fills the hardware MTU allocation exactly,
the memmove reads 4 bytes past the end of the heap buffer.
---

diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
index 0b226f04..2b5d26a3 100644
--- a/src/daemon/lldpd.c
+++ b/src/daemon/lldpd.c
@@ -574,7 +574,7 @@ lldpd_decode(struct lldpd *cfg, char *frame, int s, struct lldpd_hardware *hardw
 		/* VLAN decapsulation means to shift 4 bytes left the frame from
 		 * offset 2*ETHER_ADDR_LEN */
 		memmove(frame + 2 * ETHER_ADDR_LEN, frame + 2 * ETHER_ADDR_LEN + 4,
-		    s - 2 * ETHER_ADDR_LEN);
+		    s - 2 * ETHER_ADDR_LEN - 4);
 		s -= 4;
 	}