46 lines
1.7 KiB
Diff
46 lines
1.7 KiB
Diff
From 78e712c0b1dacc2f12d2a03d98f083d8672867f0 Mon Sep 17 00:00:00 2001
|
|
From: Aaron Conole <aconole@redhat.com>
|
|
Date: Wed, 13 Jan 2021 10:47:19 -0500
|
|
Subject: [PATCH] lldp: do not leak memory on multiple instances of TLVs
|
|
|
|
Upstream commit:
|
|
commit a8d3c90feca548fc0656d95b5d278713db86ff61
|
|
Date: Tue, 17 Nov 2020 09:28:17 -0500
|
|
|
|
lldp: avoid memory leak from bad packets
|
|
|
|
A packet that contains multiple instances of certain TLVs will cause
|
|
lldpd to continually allocate memory and leak the old memory. As an
|
|
example, multiple instances of system name TLV will cause old values
|
|
to be dropped by the decoding routine.
|
|
|
|
Reported-at: https://github.com/openvswitch/ovs/pull/337
|
|
Reported-by: Jonas Rudloff <jonas.t.rudloff@gmail.com>
|
|
Signed-off-by: Aaron Conole <aconole@redhat.com>
|
|
|
|
Vulnerability: CVE-2020-27827
|
|
Signed-off-by: Aaron Conole <aconole@redhat.com>
|
|
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
|
|
---
|
|
lib/lldp/lldp.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
|
|
index e5755307fb..18afbab9a7 100644
|
|
--- a/lib/lldp/lldp.c
|
|
+++ b/lib/lldp/lldp.c
|
|
@@ -513,10 +513,13 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
|
|
b = xzalloc(tlv_size + 1);
|
|
PEEK_BYTES(b, tlv_size);
|
|
if (tlv_type == LLDP_TLV_PORT_DESCR) {
|
|
+ free(port->p_descr);
|
|
port->p_descr = b;
|
|
} else if (tlv_type == LLDP_TLV_SYSTEM_NAME) {
|
|
+ free(chassis->c_name);
|
|
chassis->c_name = b;
|
|
} else {
|
|
+ free(chassis->c_descr);
|
|
chassis->c_descr = b;
|
|
}
|
|
break;
|