From: Aaron Conole <[email protected]>
Upstream commit:
commit a8d3c90feca548fc0656d95b5d278713db86ff61
Date: Tue, 17 Nov 2020 09:28:17 -0500
lldp: avoid memory leak from bad packets
A packet that contains multiple instances of certain TLVs will cause
lldpd to continually allocate memory and leak the old memory. As an
example, multiple instances of system name TLV will cause old values
to be dropped by the decoding routine.
Reported-at: https://github.com/openvswitch/ovs/pull/337
Reported-by: Jonas Rudloff <[email protected]>
Signed-off-by: Aaron Conole <[email protected]>
Vulnerability: CVE-2020-27827
Signed-off-by: Aaron Conole <[email protected]>
Signed-off-by: Ilya Maximets <[email protected]>
---
Patch is already applied to all relevant branches.
Sending to ovs-dev as required by the development process.
lib/lldp/lldp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
index e5755307f..18afbab9a 100644
--- a/lib/lldp/lldp.c
+++ b/lib/lldp/lldp.c
@@ -513,10 +513,13 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame,
int s,
b = xzalloc(tlv_size + 1);
PEEK_BYTES(b, tlv_size);
if (tlv_type == LLDP_TLV_PORT_DESCR) {
+ free(port->p_descr);
port->p_descr = b;
} else if (tlv_type == LLDP_TLV_SYSTEM_NAME) {
+ free(chassis->c_name);
chassis->c_name = b;
} else {
+ free(chassis->c_descr);
chassis->c_descr = b;
}
break;
--
2.25.4
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
