Fabrizio D'Angelo <[email protected]> writes: > From: Vincent Bernat <[email protected]> > > Upstream commit: > commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b > Author: Vincent Bernat <[email protected]> > Date: Sun, 4 Oct 2015 01:50:38 +0200 > > lldp: fix a buffer overflow when handling management address TLV > > When a remote device was advertising a too large management address > while still respecting TLV boundaries, lldpd would crash due to a buffer > overflow. However, the buffer being a static one, this buffer overflow > is not exploitable if hardening was not disabled. This bug exists since > version 0.5.6. > > Co-authored-by: Fabrizio D'Angelo <[email protected]> > Signed-off-by: Fabrizio D'Angelo <[email protected]> > --- > lib/lldp/lldp.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c > index 593c5e1c34..172bccdc71 100644 > --- a/lib/lldp/lldp.c > +++ b/lib/lldp/lldp.c > @@ -530,6 +530,11 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, > int s, > case LLDP_TLV_MGMT_ADDR: > CHECK_TLV_SIZE(1, "Management address"); > addr_str_length = PEEK_UINT8; > + if (addr_str_length > sizeof(addr_str_buffer)) { > + VLOG_WARN("too large management address on %s", > + hardware->h_ifname);
The whitespace is still incorrect here. Otherwise, Acked-by: Aaron Conole <[email protected]> > + goto malformed; > + } > CHECK_TLV_SIZE(1 + addr_str_length, "Management address"); > PEEK_BYTES(addr_str_buffer, addr_str_length); > addr_length = addr_str_length - 1; > @@ -554,7 +559,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, > int s, > break; > > case LLDP_TLV_ORG: > - CHECK_TLV_SIZE(4, "Organisational"); > + CHECK_TLV_SIZE(1 + (int)sizeof(orgid), "Organisational"); > PEEK_BYTES(orgid, sizeof orgid); > tlv_subtype = PEEK_UINT8; > if (memcmp(dot1, orgid, sizeof orgid) == 0) { _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
