From c624f777e41e0301547db750a9eca6208b7d6aba Mon Sep 17 00:00:00 2001 From: Aaron Conole Date: Wed, 13 Jan 2021 10:47:19 -0500 Subject: lldp: do not leak memory on multiple instances of TLVs Upstream commit: commit a8d3c90feca548fc0656d95b5d278713db86ff61 Date: Tue, 17 Nov 2020 09:28:17 -0500 lldp: avoid memory leak from bad packets A packet that contains multiple instances of certain TLVs will cause lldpd to continually allocate memory and leak the old memory. As an example, multiple instances of system name TLV will cause old values to be dropped by the decoding routine. Reported-at: https://github.com/openvswitch/ovs/pull/337 Reported-by: Jonas Rudloff Signed-off-by: Aaron Conole Vulnerability: CVE-2020-27827 Signed-off-by: Aaron Conole Signed-off-by: Ilya Maximets --- lib/lldp/lldp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c index e5755307f..18afbab9a 100644 --- a/lib/lldp/lldp.c +++ b/lib/lldp/lldp.c @@ -513,10 +513,13 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, b = xzalloc(tlv_size + 1); PEEK_BYTES(b, tlv_size); if (tlv_type == LLDP_TLV_PORT_DESCR) { + free(port->p_descr); port->p_descr = b; } else if (tlv_type == LLDP_TLV_SYSTEM_NAME) { + free(chassis->c_name); chassis->c_name = b; } else { + free(chassis->c_descr); chassis->c_descr = b; } break; -- cgit v1.2.1