diff options
| author | Vincent Bernat <vincent@bernat.im> | 2020-11-12 19:54:52 -0500 |
|---|---|---|
| committer | Ilya Maximets <i.maximets@ovn.org> | 2020-11-16 17:47:11 +0100 |
| commit | bb5a9937fa8e04e71052fb50e23894448d19678f (patch) | |
| tree | b95d4c4369c77f633322888ddca3e742c88021d0 /lib | |
| parent | 1c8e46d1050f5d902b0d1b65ba43aacf8a1805b7 (diff) | |
| download | openvswitch-bb5a9937fa8e04e71052fb50e23894448d19678f.tar.gz | |
lldp: fix a buffer overflow when handling management address TLV
Upstream commit:
commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
Author: Vincent Bernat <vincent@bernat.im>
Date: Sun, 4 Oct 2015 01:50:38 +0200
lldp: fix a buffer overflow when handling management address TLV
When a remote device was advertising a too large management address
while still respecting TLV boundaries, lldpd would crash due to a buffer
overflow. However, the buffer being a static one, this buffer overflow
is not exploitable if hardening was not disabled. This bug exists since
version 0.5.6.
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Reported-by: Jonas Rudloff <jonas.t.rudloff@gmail.com>
Reported-at: https://github.com/openvswitch/ovs/pull/335
Co-authored-by: Fabrizio D'Angelo <fdangelo@redhat.com>
Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/lldp/lldp.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c index 593c5e1c3..628d0f863 100644 --- a/lib/lldp/lldp.c +++ b/lib/lldp/lldp.c @@ -530,6 +530,11 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, case LLDP_TLV_MGMT_ADDR: CHECK_TLV_SIZE(1, "Management address"); addr_str_length = PEEK_UINT8; + if (addr_str_length > sizeof(addr_str_buffer)) { + VLOG_WARN("too large management address on %s", + hardware->h_ifname); + goto malformed; + } CHECK_TLV_SIZE(1 + addr_str_length, "Management address"); PEEK_BYTES(addr_str_buffer, addr_str_length); addr_length = addr_str_length - 1; @@ -554,7 +559,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, break; case LLDP_TLV_ORG: - CHECK_TLV_SIZE(4, "Organisational"); + CHECK_TLV_SIZE(1 + sizeof orgid, "Organisational"); PEEK_BYTES(orgid, sizeof orgid); tlv_subtype = PEEK_UINT8; if (memcmp(dot1, orgid, sizeof orgid) == 0) { |