Skip to content

Commit dd4f16e

Browse files
committed
lldp: fix a buffer overflow when handling management address TLV
When a remote device was advertising a too large management address while still respecting TLV boundaries, lldpd would crash due to a buffer overflow. However, the buffer being a static one, this buffer overflow is not exploitable if hardening was not disabled. This bug exists since version 0.5.6.
1 parent 3ca1008 commit dd4f16e

File tree

1 file changed

+7
-2
lines changed

1 file changed

+7
-2
lines changed

Diff for: src/daemon/protocols/lldp.c

+7-2
Original file line numberDiff line numberDiff line change
@@ -726,6 +726,11 @@ lldp_decode(struct lldpd *cfg, char *frame, int s,
726726
case LLDP_TLV_MGMT_ADDR:
727727
CHECK_TLV_SIZE(1, "Management address");
728728
addr_str_length = PEEK_UINT8;
729+
if (addr_str_length > sizeof(addr_str_buffer)) {
730+
log_warnx("lldp", "too large management address on %s",
731+
hardware->h_ifname);
732+
goto malformed;
733+
}
729734
CHECK_TLV_SIZE(1 + addr_str_length, "Management address");
730735
PEEK_BYTES(addr_str_buffer, addr_str_length);
731736
addr_length = addr_str_length - 1;
@@ -734,7 +739,7 @@ lldp_decode(struct lldpd *cfg, char *frame, int s,
734739
CHECK_TLV_SIZE(1 + addr_str_length + 5, "Management address");
735740
iface_subtype = PEEK_UINT8;
736741
iface_number = PEEK_UINT32;
737-
742+
738743
af = lldpd_af_from_lldp_proto(addr_family);
739744
if (af == LLDPD_AF_UNSPEC)
740745
break;
@@ -752,7 +757,7 @@ lldp_decode(struct lldpd *cfg, char *frame, int s,
752757
TAILQ_INSERT_TAIL(&chassis->c_mgmt, mgmt, m_entries);
753758
break;
754759
case LLDP_TLV_ORG:
755-
CHECK_TLV_SIZE(4, "Organisational");
760+
CHECK_TLV_SIZE(1 + (int)sizeof(orgid), "Organisational");
756761
PEEK_BYTES(orgid, sizeof(orgid));
757762
tlv_subtype = PEEK_UINT8;
758763
if (memcmp(dot1, orgid, sizeof(orgid)) == 0) {

0 commit comments

Comments
 (0)