When addr_str_length is 0, the expression "addr_str_length - 1" underflows to 255 (u_int8_t), and addr_str_buffer[0] is read for the address family byte without having been written by PEEK_BYTES.
Add a lower-bound check alongside the existing upper-bound check. Upstream: https://github.com/lldpd/lldpd/commit/1d55036 Signed-off-by: Timothy Redaelli <[email protected]> --- lib/lldp/lldp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c index 959103d4b..bd0032496 100644 --- a/lib/lldp/lldp.c +++ b/lib/lldp/lldp.c @@ -535,8 +535,9 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, case LLDP_TLV_MGMT_ADDR: CHECK_TLV_SIZE(1, "Management address"); addr_str_length = PEEK_UINT8; - if (addr_str_length > sizeof(addr_str_buffer)) { - VLOG_WARN("too large management address on %s", + if (addr_str_length < 1 + || addr_str_length > sizeof(addr_str_buffer)) { + VLOG_WARN("invalid management address length on %s", hardware->h_ifname); goto malformed; } -- 2.54.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
