From: Deepak Rathore <[email protected]>

This patch applies the upstream 1.0.22 backport for
CVE-2026-46433. The upstream fix commit is referenced in [1],
and the public CVE advisory is referenced in [2].

[1] 
https://github.com/lldpd/lldpd/commit/ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6
[2] https://github.com/lldpd/lldpd/security/advisories/GHSA-2g8p-2h3j-63m3

Signed-off-by: Deepak Rathore <[email protected]>
---
 .../lldpd/files/CVE-2026-46433.patch          | 36 +++++++++++++++++++
 .../recipes-daemons/lldpd/lldpd_1.0.18.bb     |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 
meta-networking/recipes-daemons/lldpd/files/CVE-2026-46433.patch

diff --git a/meta-networking/recipes-daemons/lldpd/files/CVE-2026-46433.patch 
b/meta-networking/recipes-daemons/lldpd/files/CVE-2026-46433.patch
new file mode 100644
index 0000000000..d673fd4389
--- /dev/null
+++ b/meta-networking/recipes-daemons/lldpd/files/CVE-2026-46433.patch
@@ -0,0 +1,36 @@
+From bec94ccae65fd40ec6cc417f395cb250dc6bdc1a Mon Sep 17 00:00:00 2001
+From: TristanInSec <[email protected]>
+Date: Tue, 12 May 2026 06:01:57 -0400
+Subject: [PATCH] Fix heap OOB read in VLAN decapsulation memmove
+
+In lldpd_decode(), the VLAN decapsulation memmove shifts frame data
+4 bytes left starting at offset 2*ETHER_ADDR_LEN.  The source pointer
+is correctly offset by +4, but the length argument uses the full
+remaining frame length (s - 2*ETHER_ADDR_LEN) instead of accounting
+for the 4-byte shift (s - 2*ETHER_ADDR_LEN - 4).
+
+When the received frame fills the hardware MTU allocation exactly,
+the memmove reads 4 bytes past the end of the heap buffer.
+
+CVE: CVE-2026-46433
+Upstream-Status: Backport 
[https://github.com/lldpd/lldpd/commit/ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6]
+
+(cherry picked from commit ca931be63a9cae0fcd8e9b6ae4e916d49f141cd6)
+Signed-off-by: Deepak Rathore <[email protected]>
+---
+ src/daemon/lldpd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
+index 4859fb8..d6249bb 100644
+--- a/src/daemon/lldpd.c
++++ b/src/daemon/lldpd.c
+@@ -572,7 +572,7 @@ lldpd_decode(struct lldpd *cfg, char *frame, int s, struct 
lldpd_hardware *hardw
+               /* VLAN decapsulation means to shift 4 bytes left the frame from
+                * offset 2*ETHER_ADDR_LEN */
+               memmove(frame + 2 * ETHER_ADDR_LEN, frame + 2 * ETHER_ADDR_LEN 
+ 4,
+-                  s - 2 * ETHER_ADDR_LEN);
++                  s - 2 * ETHER_ADDR_LEN - 4);
+               s -= 4;
+       }
+ 
diff --git a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.18.bb 
b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.18.bb
index a1bf4640b2..9b516237b5 100644
--- a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.18.bb
+++ b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.18.bb
@@ -10,6 +10,7 @@ SRC_URI = "\
     file://lldpd.init.d \
     file://lldpd.default \
     file://run-ptest \
+    file://CVE-2026-46433.patch \
     "
 
 SRC_URI[sha256sum] = 
"4b320675d608901a4a0d4feff8f96bb846d4913d914b0cf75b7d0ae80490f2f7"
-- 
2.35.6

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#128056): 
https://lists.openembedded.org/g/openembedded-devel/message/128056
Mute This Topic: https://lists.openembedded.org/mt/120153059/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to