From: Deepak Rathore <[email protected]> This patch applies the upstream 1.0.22 backport for CVE-2026-46433. The upstream fix commit is referenced in [1], and the public CVE advisory is referenced in [2].
[1] https://github.com/lldpd/lldpd/commit/ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6 [2] https://github.com/lldpd/lldpd/security/advisories/GHSA-2g8p-2h3j-63m3 Signed-off-by: Deepak Rathore <[email protected]> --- .../lldpd/files/CVE-2026-46433.patch | 36 +++++++++++++++++++ .../recipes-daemons/lldpd/lldpd_1.0.18.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta-networking/recipes-daemons/lldpd/files/CVE-2026-46433.patch diff --git a/meta-networking/recipes-daemons/lldpd/files/CVE-2026-46433.patch b/meta-networking/recipes-daemons/lldpd/files/CVE-2026-46433.patch new file mode 100644 index 0000000000..d673fd4389 --- /dev/null +++ b/meta-networking/recipes-daemons/lldpd/files/CVE-2026-46433.patch @@ -0,0 +1,36 @@ +From bec94ccae65fd40ec6cc417f395cb250dc6bdc1a Mon Sep 17 00:00:00 2001 +From: TristanInSec <[email protected]> +Date: Tue, 12 May 2026 06:01:57 -0400 +Subject: [PATCH] Fix heap OOB read in VLAN decapsulation memmove + +In lldpd_decode(), the VLAN decapsulation memmove shifts frame data +4 bytes left starting at offset 2*ETHER_ADDR_LEN. The source pointer +is correctly offset by +4, but the length argument uses the full +remaining frame length (s - 2*ETHER_ADDR_LEN) instead of accounting +for the 4-byte shift (s - 2*ETHER_ADDR_LEN - 4). + +When the received frame fills the hardware MTU allocation exactly, +the memmove reads 4 bytes past the end of the heap buffer. + +CVE: CVE-2026-46433 +Upstream-Status: Backport [https://github.com/lldpd/lldpd/commit/ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6] + +(cherry picked from commit ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6) +Signed-off-by: Deepak Rathore <[email protected]> +--- + src/daemon/lldpd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c +index 4859fb8..d6249bb 100644 +--- a/src/daemon/lldpd.c ++++ b/src/daemon/lldpd.c +@@ -572,7 +572,7 @@ lldpd_decode(struct lldpd *cfg, char *frame, int s, struct lldpd_hardware *hardw + /* VLAN decapsulation means to shift 4 bytes left the frame from + * offset 2*ETHER_ADDR_LEN */ + memmove(frame + 2 * ETHER_ADDR_LEN, frame + 2 * ETHER_ADDR_LEN + 4, +- s - 2 * ETHER_ADDR_LEN); ++ s - 2 * ETHER_ADDR_LEN - 4); + s -= 4; + } + diff --git a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.18.bb b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.18.bb index a1bf4640b2..9b516237b5 100644 --- a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.18.bb +++ b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.18.bb @@ -10,6 +10,7 @@ SRC_URI = "\ file://lldpd.init.d \ file://lldpd.default \ file://run-ptest \ + file://CVE-2026-46433.patch \ " SRC_URI[sha256sum] = "4b320675d608901a4a0d4feff8f96bb846d4913d914b0cf75b7d0ae80490f2f7" -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#128056): https://lists.openembedded.org/g/openembedded-devel/message/128056 Mute This Topic: https://lists.openembedded.org/mt/120153059/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
