Bug#802942: jessie-pu: package lldpd/0.7.11-2

Sun, 25 Oct 2015 05:45:34 -0700 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi!

I would like to push the attached patch to jessie-pu to fix some
security problems present in lldpd: lldpd can crash when receiving
malformed LLDP management addresses. I have been in contact with
security team and they think a stable update is good enough. Patches
come from upstream.

I will also have to upload an update for wheezy which is affected as
well. Should I use this same bug number or open a new one?

- -- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-rc5-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWLM2OAAoJEJWkL+g1NSX5XPIP/3Ph55SbIng0TD4sZyk/yTwv
k/30N3Xe7EAO9SQeNeQ/anBQOjJkowZTdWbSx7JspMWf6K8y8UO8+9oRAC2EeQe3
810N8Mj2NFyK8LDWiwZgGnsBjIdtwg0N7c05gUG26z+LepchJ01FP6e7SE+tk877
OuwJxU6QooCBJcAh+VHu0zqiRdR/TkCL4Yr5mIgcQnI8Kxk/f9U77gGruiOeb/jr
YeN5JbrF6yH46Bg/loHgt+iyck7KSnlXgiKqCsd/Vcc4s/nF3KHular0oii/8oec
DHhbrr+1yZWF605WJbK9rRrrKKQFr4+uPRlg5AbQBAZOb3C6rhGDiS4xlpFE6QVU
CL3/aEkLqRPQ5LV+ps8XBFAvj+3PQaJjpOeksOAcVUJVXLRvZsI1BDTb9ArPXtX9
baMqSpmGjRdSj3b99sGIKnfyzZbOgiM5N5SFQXB/mgr2m40YlzfkeWAJrGIS9TEa
0NFp2QEg8pCfQeFo1S3T7FCX8TO/JPyLPVmQvTe+80g11lpIFhqXD1JwAkj4wDoo
YtMK8F9bocJaPEsJ3tHVblD+zRKld9LDASWKEPj6czj/uAA+ZvaHQ2AyYhD/lhHT
DLJs0hKWZs4CC3Ht8n5/0OFA3UQEpI1npioR0+Qi36smfb+9yTtuL6S9ip3+edwm
NeW8E4mLWj3OvpdCVM1+
=ZmXr
-----END PGP SIGNATURE-----

diff --git a/debian/changelog b/debian/changelog
index f3e44f04b0e6..f9097375eee4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+lldpd (0.7.11-2+deb8u1) jessie; urgency=medium
+
+  * Fix a segfault when receiving incorrectly formed LLDP management
+    addresses:
+     - 0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
+  * Fix an assert error when receiving incorrectly formed LLDP management
+    addresses:
+     - 0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
+
+ -- Vincent Bernat <ber...@debian.org>  Sun, 25 Oct 2015 13:20:22 +0100
+
 lldpd (0.7.11-2) unstable; urgency=medium
 
   * Cherry-pick 0001-lib-fix-pkgconfig-file-substitutions.patch to fix
diff --git a/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch b/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
new file mode 100644
index 000000000000..ee73682ad2a2
--- /dev/null
+++ b/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
@@ -0,0 +1,36 @@
+From 805fbe5f18ef170c63aa2e529acf92c95d3b83b1 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vinc...@bernat.im>
+Date: Sun, 4 Oct 2015 01:50:38 +0200
+Subject: [PATCH 1/2] lldp: fix a buffer overflow when handling management
+ address TLV
+
+When a remote device was advertising a too large management address
+while still respecting TLV boundaries, lldpd would crash due to a buffer
+overflow. However, the buffer being a static one, this buffer overflow
+is not exploitable if hardening was not disabled. This bug exists since
+version 0.5.6.
+---
+ src/daemon/lldp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/daemon/lldp.c b/src/daemon/lldp.c
+index ae01ccc5078a..cc3585623476 100644
+--- a/src/daemon/lldp.c
++++ b/src/daemon/lldp.c
+@@ -625,7 +625,12 @@ lldp_decode(struct lldpd *cfg, char *frame, int s,
+ 		case LLDP_TLV_MGMT_ADDR:
+ 			CHECK_TLV_SIZE(1, "Management address");
+ 			addr_str_length = PEEK_UINT8;
+-			CHECK_TLV_SIZE(addr_str_length, "Management address");
++			if (addr_str_length > sizeof(addr_str_buffer)) {
++				log_warnx("lldp", "too large management address on %s",
++				    hardware->h_ifname);
++				goto malformed;
++			}
++			CHECK_TLV_SIZE(1 + addr_str_length, "Management address");
+ 			PEEK_BYTES(addr_str_buffer, addr_str_length);
+ 			addr_length = addr_str_length - 1;
+ 			addr_family = addr_str_buffer[0];
+-- 
+2.6.2
+
diff --git a/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch b/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
new file mode 100644
index 000000000000..ad61ea2904c6
--- /dev/null
+++ b/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
@@ -0,0 +1,135 @@
+From 18d81c30e6bc2f2c6b6e591c10893b9cd6f227aa Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vinc...@bernat.im>
+Date: Sun, 4 Oct 2015 02:24:29 +0200
+Subject: [PATCH 2/2] protocols: don't use assert on paths that can be reached
+
+Malformed packets should not make lldpd crash. Ensure we can handle them
+by not using assert() in this part.
+---
+ src/daemon/cdp.c   | 10 +++++++---
+ src/daemon/edp.c   |  1 -
+ src/daemon/lldp.c  | 14 ++++++++------
+ src/daemon/lldpd.c |  1 -
+ src/daemon/sonmp.c |  8 +++++---
+ 5 files changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/src/daemon/cdp.c b/src/daemon/cdp.c
+index 4974b00eecbf..c78d64b1f01c 100644
+--- a/src/daemon/cdp.c
++++ b/src/daemon/cdp.c
+@@ -25,7 +25,6 @@
+ #include <unistd.h>
+ #include <errno.h>
+ #include <arpa/inet.h>
+-#include <assert.h>
+ 
+ static int
+ cdp_send(struct lldpd *global,
+@@ -437,8 +436,13 @@ cdp_decode(struct lldpd *cfg, char *frame, int s,
+ 						mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4, &addr, 
+ 									sizeof(struct in_addr), 0);
+ 						if (mgmt == NULL) {
+-							assert(errno == ENOMEM);
+-							log_warn("cdp", "unable to allocate memory for management address");
++							if (errno == ENOMEM)
++								log_warn("cdp",
++								    "unable to allocate memory for management address");
++							else
++								log_warn("cdp",
++								    "too large management address received on %s",
++								    hardware->h_ifname);
+ 							goto malformed;
+ 						}
+ 						TAILQ_INSERT_TAIL(&chassis->c_mgmt, mgmt, m_entries);
+diff --git a/src/daemon/edp.c b/src/daemon/edp.c
+index 106d9f6387bc..bf60e4d92363 100644
+--- a/src/daemon/edp.c
++++ b/src/daemon/edp.c
+@@ -25,7 +25,6 @@
+ #include <errno.h>
+ #include <arpa/inet.h>
+ #include <fnmatch.h>
+-#include <assert.h>
+ 
+ static int seq = 0;
+ 
+diff --git a/src/daemon/lldp.c b/src/daemon/lldp.c
+index cc3585623476..367655c983bd 100644
+--- a/src/daemon/lldp.c
++++ b/src/daemon/lldp.c
+@@ -20,7 +20,6 @@
+ 
+ #include <unistd.h>
+ #include <errno.h>
+-#include <assert.h>
+ #include <time.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+@@ -151,7 +150,7 @@ lldp_send(struct lldpd *global,
+ 	/* Management addresses */
+ 	TAILQ_FOREACH(mgmt, &chassis->c_mgmt, m_entries) {
+ 		proto = lldpd_af_to_lldp_proto(mgmt->m_family);
+-		assert(proto != LLDP_MGMT_ADDR_NONE);
++		if (proto == LLDP_MGMT_ADDR_NONE) continue;
+ 		if (!(
+ 			  POKE_START_LLDP_TLV(LLDP_TLV_MGMT_ADDR) &&
+ 			  /* Size of the address, including its type */
+@@ -648,10 +647,13 @@ lldp_decode(struct lldpd *cfg, char *frame, int s,
+ 				iface = 0;
+ 			mgmt = lldpd_alloc_mgmt(af, addr_ptr, addr_length, iface);
+ 			if (mgmt == NULL) {
+-				assert(errno == ENOMEM);
+-				log_warn("lldp", "unable to allocate memory "
+-							"for management address");
+-						goto malformed;
++				if (errno == ENOMEM)
++					log_warn("lldp", "unable to allocate memory "
++					    "for management address");
++				else
++					log_warn("lldp", "too large management address "
++					    "received on %s", hardware->h_ifname);
++				goto malformed;
+ 			}
+ 			TAILQ_INSERT_TAIL(&chassis->c_mgmt, mgmt, m_entries);
+ 			break;
+diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
+index 10c5ed791926..c659bfe69abd 100644
+--- a/src/daemon/lldpd.c
++++ b/src/daemon/lldpd.c
+@@ -195,7 +195,6 @@ lldpd_alloc_mgmt(int family, void *addrptr, size_t addrsize, u_int32_t iface)
+ 		return NULL;
+ 	}
+ 	mgmt->m_family = family;
+-	assert(addrsize <= LLDPD_MGMT_MAXADDRSIZE);
+ 	memcpy(&mgmt->m_addr, addrptr, addrsize);
+ 	mgmt->m_addrsize = addrsize;
+ 	mgmt->m_iface = iface;
+diff --git a/src/daemon/sonmp.c b/src/daemon/sonmp.c
+index 30930cb34093..b55d73b7a59b 100644
+--- a/src/daemon/sonmp.c
++++ b/src/daemon/sonmp.c
+@@ -24,7 +24,6 @@
+ #include <unistd.h>
+ #include <errno.h>
+ #include <arpa/inet.h>
+-#include <assert.h>
+ 
+ static struct sonmp_chassis sonmp_chassis_types[] = {
+ 	{1, "unknown (via SONMP)"},
+@@ -358,8 +357,11 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s,
+ 	}
+ 	mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4, &address, sizeof(struct in_addr), 0);
+ 	if (mgmt == NULL) {
+-		assert(errno == ENOMEM);
+-		log_warn("sonmp", "unable to allocate memory for management address");
++		if (errno == ENOMEM)
++			log_warn("sonmp", "unable to allocate memory for management address");
++		else
++			log_warn("sonmp", "too large management address received on %s",
++			    hardware->h_ifname);
+ 		goto malformed;
+ 	}
+ 	TAILQ_INSERT_TAIL(&chassis->c_mgmt, mgmt, m_entries);
+-- 
+2.6.2
+
diff --git a/debian/patches/series b/debian/patches/series
index be92513c17cf..98a44eae6655 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
 0001-systemd-fix-systemd-unit-file.patch
 0001-lib-fix-pkgconfig-file-substitutions.patch
+0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
+0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch

Reply via email to