diff options
| author | Aaron Conole <aconole@redhat.com> | 2021-01-13 10:47:19 -0500 |
|---|---|---|
| committer | Ilya Maximets <i.maximets@ovn.org> | 2021-01-13 17:01:24 +0100 |
| commit | a99a3bda48d6dfe8b51ec0cb0e63dd1ff0c29e55 (patch) | |
| tree | f9afb90a0cfdb60615fbbde21d3ff77c7597e397 | |
| parent | f108cc1fcc8f1cd378252fd8da7285d66aaebb48 (diff) | |
| download | openvswitch-a99a3bda48d6dfe8b51ec0cb0e63dd1ff0c29e55.tar.gz | |
lldp: do not leak memory on multiple instances of TLVs
Upstream commit:
commit a8d3c90feca548fc0656d95b5d278713db86ff61
Date: Tue, 17 Nov 2020 09:28:17 -0500
lldp: avoid memory leak from bad packets
A packet that contains multiple instances of certain TLVs will cause
lldpd to continually allocate memory and leak the old memory. As an
example, multiple instances of system name TLV will cause old values
to be dropped by the decoding routine.
Reported-at: https://github.com/openvswitch/ovs/pull/337
Reported-by: Jonas Rudloff <jonas.t.rudloff@gmail.com>
Signed-off-by: Aaron Conole <aconole@redhat.com>
Vulnerability: CVE-2020-27827
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
| -rw-r--r-- | lib/lldp/lldp.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c index e5755307f..18afbab9a 100644 --- a/lib/lldp/lldp.c +++ b/lib/lldp/lldp.c @@ -513,10 +513,13 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, b = xzalloc(tlv_size + 1); PEEK_BYTES(b, tlv_size); if (tlv_type == LLDP_TLV_PORT_DESCR) { + free(port->p_descr); port->p_descr = b; } else if (tlv_type == LLDP_TLV_SYSTEM_NAME) { + free(chassis->c_name); chassis->c_name = b; } else { + free(chassis->c_descr); chassis->c_descr = b; } break; |