Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi! I would like to push the attached patch to jessie-pu to fix some security problems present in lldpd: lldpd can crash when receiving malformed LLDP management addresses. I have been in contact with security team and they think a stable update is good enough. Patches come from upstream. I will also have to upload an update for wheezy which is affected as well. Should I use this same bug number or open a new one? - -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0-rc5-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWLM2OAAoJEJWkL+g1NSX5XPIP/3Ph55SbIng0TD4sZyk/yTwv k/30N3Xe7EAO9SQeNeQ/anBQOjJkowZTdWbSx7JspMWf6K8y8UO8+9oRAC2EeQe3 810N8Mj2NFyK8LDWiwZgGnsBjIdtwg0N7c05gUG26z+LepchJ01FP6e7SE+tk877 OuwJxU6QooCBJcAh+VHu0zqiRdR/TkCL4Yr5mIgcQnI8Kxk/f9U77gGruiOeb/jr YeN5JbrF6yH46Bg/loHgt+iyck7KSnlXgiKqCsd/Vcc4s/nF3KHular0oii/8oec DHhbrr+1yZWF605WJbK9rRrrKKQFr4+uPRlg5AbQBAZOb3C6rhGDiS4xlpFE6QVU CL3/aEkLqRPQ5LV+ps8XBFAvj+3PQaJjpOeksOAcVUJVXLRvZsI1BDTb9ArPXtX9 baMqSpmGjRdSj3b99sGIKnfyzZbOgiM5N5SFQXB/mgr2m40YlzfkeWAJrGIS9TEa 0NFp2QEg8pCfQeFo1S3T7FCX8TO/JPyLPVmQvTe+80g11lpIFhqXD1JwAkj4wDoo YtMK8F9bocJaPEsJ3tHVblD+zRKld9LDASWKEPj6czj/uAA+ZvaHQ2AyYhD/lhHT DLJs0hKWZs4CC3Ht8n5/0OFA3UQEpI1npioR0+Qi36smfb+9yTtuL6S9ip3+edwm NeW8E4mLWj3OvpdCVM1+ =ZmXr -----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog index f3e44f04b0e6..f9097375eee4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +lldpd (0.7.11-2+deb8u1) jessie; urgency=medium + + * Fix a segfault when receiving incorrectly formed LLDP management + addresses: + - 0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch + * Fix an assert error when receiving incorrectly formed LLDP management + addresses: + - 0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch + + -- Vincent Bernat <ber...@debian.org> Sun, 25 Oct 2015 13:20:22 +0100 + lldpd (0.7.11-2) unstable; urgency=medium * Cherry-pick 0001-lib-fix-pkgconfig-file-substitutions.patch to fix diff --git a/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch b/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch new file mode 100644 index 000000000000..ee73682ad2a2 --- /dev/null +++ b/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch @@ -0,0 +1,36 @@ +From 805fbe5f18ef170c63aa2e529acf92c95d3b83b1 Mon Sep 17 00:00:00 2001 +From: Vincent Bernat <vinc...@bernat.im> +Date: Sun, 4 Oct 2015 01:50:38 +0200 +Subject: [PATCH 1/2] lldp: fix a buffer overflow when handling management + address TLV + +When a remote device was advertising a too large management address +while still respecting TLV boundaries, lldpd would crash due to a buffer +overflow. However, the buffer being a static one, this buffer overflow +is not exploitable if hardening was not disabled. This bug exists since +version 0.5.6. +--- + src/daemon/lldp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/daemon/lldp.c b/src/daemon/lldp.c +index ae01ccc5078a..cc3585623476 100644 +--- a/src/daemon/lldp.c ++++ b/src/daemon/lldp.c +@@ -625,7 +625,12 @@ lldp_decode(struct lldpd *cfg, char *frame, int s, + case LLDP_TLV_MGMT_ADDR: + CHECK_TLV_SIZE(1, "Management address"); + addr_str_length = PEEK_UINT8; +- CHECK_TLV_SIZE(addr_str_length, "Management address"); ++ if (addr_str_length > sizeof(addr_str_buffer)) { ++ log_warnx("lldp", "too large management address on %s", ++ hardware->h_ifname); ++ goto malformed; ++ } ++ CHECK_TLV_SIZE(1 + addr_str_length, "Management address"); + PEEK_BYTES(addr_str_buffer, addr_str_length); + addr_length = addr_str_length - 1; + addr_family = addr_str_buffer[0]; +-- +2.6.2 + diff --git a/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch b/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch new file mode 100644 index 000000000000..ad61ea2904c6 --- /dev/null +++ b/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch @@ -0,0 +1,135 @@ +From 18d81c30e6bc2f2c6b6e591c10893b9cd6f227aa Mon Sep 17 00:00:00 2001 +From: Vincent Bernat <vinc...@bernat.im> +Date: Sun, 4 Oct 2015 02:24:29 +0200 +Subject: [PATCH 2/2] protocols: don't use assert on paths that can be reached + +Malformed packets should not make lldpd crash. Ensure we can handle them +by not using assert() in this part. +--- + src/daemon/cdp.c | 10 +++++++--- + src/daemon/edp.c | 1 - + src/daemon/lldp.c | 14 ++++++++------ + src/daemon/lldpd.c | 1 - + src/daemon/sonmp.c | 8 +++++--- + 5 files changed, 20 insertions(+), 14 deletions(-) + +diff --git a/src/daemon/cdp.c b/src/daemon/cdp.c +index 4974b00eecbf..c78d64b1f01c 100644 +--- a/src/daemon/cdp.c ++++ b/src/daemon/cdp.c +@@ -25,7 +25,6 @@ + #include <unistd.h> + #include <errno.h> + #include <arpa/inet.h> +-#include <assert.h> + + static int + cdp_send(struct lldpd *global, +@@ -437,8 +436,13 @@ cdp_decode(struct lldpd *cfg, char *frame, int s, + mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4, &addr, + sizeof(struct in_addr), 0); + if (mgmt == NULL) { +- assert(errno == ENOMEM); +- log_warn("cdp", "unable to allocate memory for management address"); ++ if (errno == ENOMEM) ++ log_warn("cdp", ++ "unable to allocate memory for management address"); ++ else ++ log_warn("cdp", ++ "too large management address received on %s", ++ hardware->h_ifname); + goto malformed; + } + TAILQ_INSERT_TAIL(&chassis->c_mgmt, mgmt, m_entries); +diff --git a/src/daemon/edp.c b/src/daemon/edp.c +index 106d9f6387bc..bf60e4d92363 100644 +--- a/src/daemon/edp.c ++++ b/src/daemon/edp.c +@@ -25,7 +25,6 @@ + #include <errno.h> + #include <arpa/inet.h> + #include <fnmatch.h> +-#include <assert.h> + + static int seq = 0; + +diff --git a/src/daemon/lldp.c b/src/daemon/lldp.c +index cc3585623476..367655c983bd 100644 +--- a/src/daemon/lldp.c ++++ b/src/daemon/lldp.c +@@ -20,7 +20,6 @@ + + #include <unistd.h> + #include <errno.h> +-#include <assert.h> + #include <time.h> + #include <sys/types.h> + #include <sys/socket.h> +@@ -151,7 +150,7 @@ lldp_send(struct lldpd *global, + /* Management addresses */ + TAILQ_FOREACH(mgmt, &chassis->c_mgmt, m_entries) { + proto = lldpd_af_to_lldp_proto(mgmt->m_family); +- assert(proto != LLDP_MGMT_ADDR_NONE); ++ if (proto == LLDP_MGMT_ADDR_NONE) continue; + if (!( + POKE_START_LLDP_TLV(LLDP_TLV_MGMT_ADDR) && + /* Size of the address, including its type */ +@@ -648,10 +647,13 @@ lldp_decode(struct lldpd *cfg, char *frame, int s, + iface = 0; + mgmt = lldpd_alloc_mgmt(af, addr_ptr, addr_length, iface); + if (mgmt == NULL) { +- assert(errno == ENOMEM); +- log_warn("lldp", "unable to allocate memory " +- "for management address"); +- goto malformed; ++ if (errno == ENOMEM) ++ log_warn("lldp", "unable to allocate memory " ++ "for management address"); ++ else ++ log_warn("lldp", "too large management address " ++ "received on %s", hardware->h_ifname); ++ goto malformed; + } + TAILQ_INSERT_TAIL(&chassis->c_mgmt, mgmt, m_entries); + break; +diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c +index 10c5ed791926..c659bfe69abd 100644 +--- a/src/daemon/lldpd.c ++++ b/src/daemon/lldpd.c +@@ -195,7 +195,6 @@ lldpd_alloc_mgmt(int family, void *addrptr, size_t addrsize, u_int32_t iface) + return NULL; + } + mgmt->m_family = family; +- assert(addrsize <= LLDPD_MGMT_MAXADDRSIZE); + memcpy(&mgmt->m_addr, addrptr, addrsize); + mgmt->m_addrsize = addrsize; + mgmt->m_iface = iface; +diff --git a/src/daemon/sonmp.c b/src/daemon/sonmp.c +index 30930cb34093..b55d73b7a59b 100644 +--- a/src/daemon/sonmp.c ++++ b/src/daemon/sonmp.c +@@ -24,7 +24,6 @@ + #include <unistd.h> + #include <errno.h> + #include <arpa/inet.h> +-#include <assert.h> + + static struct sonmp_chassis sonmp_chassis_types[] = { + {1, "unknown (via SONMP)"}, +@@ -358,8 +357,11 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s, + } + mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4, &address, sizeof(struct in_addr), 0); + if (mgmt == NULL) { +- assert(errno == ENOMEM); +- log_warn("sonmp", "unable to allocate memory for management address"); ++ if (errno == ENOMEM) ++ log_warn("sonmp", "unable to allocate memory for management address"); ++ else ++ log_warn("sonmp", "too large management address received on %s", ++ hardware->h_ifname); + goto malformed; + } + TAILQ_INSERT_TAIL(&chassis->c_mgmt, mgmt, m_entries); +-- +2.6.2 + diff --git a/debian/patches/series b/debian/patches/series index be92513c17cf..98a44eae6655 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,4 @@ 0001-systemd-fix-systemd-unit-file.patch 0001-lib-fix-pkgconfig-file-substitutions.patch +0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch +0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch