From: Vincent Bernat <vincent@bernat.ch>
Date: Mon, 9 Mar 2026 19:46:31 +0000 (+0100)
Subject: daemon: fix path traversal vulnerability in asroot_iface_description_os()
X-Git-Tag: 1.0.21~13
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=dcb62ae78e899518ec8da2151df001f8f789e02f;p=thirdparty%2Flldpd.git

daemon: fix path traversal vulnerability in asroot_iface_description_os()

`asroot_iface_description_os()` a sysfs path from an interface name
received from the unprivileged process. The validation only rejects `\0`
or `.` in first position. Add `/` to the list of rejected characters to
avoid path traversal.

Fix #773
---

diff --git a/NEWS b/NEWS
index 7170af8f..1f3ad66a 100644
--- a/NEWS
+++ b/NEWS
@@ -2,7 +2,7 @@ lldpd (1.0.21)
  * Changes:
    + Add "configure lldp portdescription-source" to choose how to populate port description (#763)
  * Fix:
-   + Fix path traversal vulnerability in the privileged process (#774)
+   + Fix path traversal vulnerabilities in the privileged process (#773, #774)
 
 lldpd (1.0.20)
  * Changes:
diff --git a/src/daemon/priv-linux.c b/src/daemon/priv-linux.c
index ff300038..54017fb1 100644
--- a/src/daemon/priv-linux.c
+++ b/src/daemon/priv-linux.c
@@ -262,7 +262,7 @@ asroot_iface_description_os(const char *name, const char *description)
 	char descr[IFALIASZ];
 	FILE *fp;
 	int rc;
-	if (name[0] == '\0' || name[0] == '.') {
+	if (name[0] == '\0' || name[0] == '.' || strchr(name, '/') != NULL) {
 		log_warnx("privsep", "odd interface name %s", name);
 		return -1;
 	}