From: Vincent Bernat <vincent@bernat.ch>
Date: Sat, 9 May 2026 12:41:40 +0000 (+0200)
Subject: daemon/client: bound MED location data length
X-Git-Tag: 1.0.22~22
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=faf8fcab78c7dbac89e819a0f01339b51d64edca;p=thirdparty%2Flldpd.git

daemon/client: bound MED location data length

A client could submit `set->med_location` with `data_len` negative or
absurdly large; the subsequent `malloc()`/`memcpy` in the daemon would
either request huge sizes or rely on malloc failure to recover. Reject
obviously invalid lengths at the boundary.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---

diff --git a/src/daemon/client.c b/src/daemon/client.c
index ade7ca6b..e17330da 100644
--- a/src/daemon/client.c
+++ b/src/daemon/client.c
@@ -529,6 +529,12 @@ _client_handle_set_port(struct lldpd *cfg, struct lldpd_port *port,
 			    set->med_location->format);
 			return -1;
 		}
+		if (set->med_location->data_len < 0 ||
+		    set->med_location->data_len > LLDP_TLV_ORG_OUI_INFO_MAXLEN) {
+			log_warnx("rpc", "invalid location data length provided: %d",
+			    set->med_location->data_len);
+			return -1;
+		}
 		loc = &port->p_med_location[set->med_location->format - 1];
 		free(loc->data);
 		memcpy(loc, set->med_location, sizeof(struct lldpd_med_loc));