Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
lldpd: Fix CVE-2021-43612 heap overflow when reading SONMP packages
By sending short SONMP packets, an attacker can make the decoder crash by reading too much data on the heap. SONMP packets are fixed in size, just ensure we get the enough bytes to contain a SONMP packet. References: * lldpd/lldpd@73d4268 * https://nvd.nist.gov/vuln/detail/CVE-2021-43612 Suggested-by: Vincent Bernat (vincent@bernat.ch) CVE: CVE-2021-43612 Signed-off-by: Georg Gebauer <georg.gebauer@zeiss.com>
- Loading branch information
1 parent
cecb7c4
commit 5e1dec4
Showing
2 changed files
with
100 additions
and
0 deletions.
There are no files selected for viewing
99 changes: 99 additions & 0 deletions
99
meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| From d1a916264c775d4bb42668de57be6645ca79c525 Mon Sep 17 00:00:00 2001 | ||
| From: Georg Gebauer <georg.gebauer@zeiss.com> | ||
| Date: Fri, 26 Apr 2024 08:12:42 +0200 | ||
| Subject: [PATCH] Fix CVE-2021-43612 heap overflow when reading SONMP packages | ||
|
|
||
| By sending short SONMP packets, an attacker can make the decoder crash | ||
| by reading too much data on the heap. SONMP packets are fixed in size, | ||
| just ensure we get the enough bytes to contain a SONMP packet. | ||
|
|
||
| References: | ||
| * https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7 | ||
| * https://nvd.nist.gov/vuln/detail/CVE-2021-43612 | ||
|
|
||
| Suggested-by: Vincent Bernat (vincent@bernat.ch) | ||
| CVE: CVE-2021-43612 | ||
| --- | ||
| NEWS | 2 ++ | ||
| src/daemon/protocols/sonmp.c | 2 +- | ||
| src/daemon/protocols/sonmp.h | 2 +- | ||
| tests/check_sonmp.c | 8 ++++---- | ||
| 4 files changed, 8 insertions(+), 6 deletions(-) | ||
|
|
||
| diff --git a/NEWS b/NEWS | ||
| index 18b059f..d62b86b 100644 | ||
| --- a/NEWS | ||
| +++ b/NEWS | ||
| @@ -4,6 +4,8 @@ lldpd (1.0.8) | ||
| liblldpctl for malformed fields. | ||
| + Fix memory leak when receiving LLDPU with duplicate fields. | ||
| CVE-2020-27827. | ||
| + + Fix heap overflow when reading SONMP. CVE-2021-43612. | ||
| + Thanks to Jeremy Galindo for discovering this one. | ||
| * Changes: | ||
| + Enable "router" capability bit when IPv6 routing is enabled. | ||
|
|
||
| diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c | ||
| index d2eed15..6c80cb0 100644 | ||
| --- a/src/daemon/protocols/sonmp.c | ||
| +++ b/src/daemon/protocols/sonmp.c | ||
| @@ -311,7 +311,7 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s, | ||
|
|
||
| length = s; | ||
| pos = (u_int8_t*)frame; | ||
| - if (length < SONMP_SIZE) { | ||
| + if (length < SONMP_SIZE + 2*ETHER_ADDR_LEN + sizeof(u_int16_t)) { | ||
| log_warnx("sonmp", "too short SONMP frame received on %s", hardware->h_ifname); | ||
| goto malformed; | ||
| } | ||
| diff --git a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h | ||
| index 0e60106..ff7a720 100644 | ||
| --- a/src/daemon/protocols/sonmp.h | ||
| +++ b/src/daemon/protocols/sonmp.h | ||
| @@ -24,7 +24,7 @@ | ||
| #define LLC_ORG_NORTEL { 0x00, 0x00, 0x81 } | ||
| #define LLC_PID_SONMP_HELLO 0x01a2 | ||
| #define LLC_PID_SONMP_FLATNET 0x01a1 | ||
| -#define SONMP_SIZE (2*ETHER_ADDR_LEN + sizeof(u_int16_t) + 8) | ||
| +#define SONMP_SIZE 19 | ||
|
|
||
| struct sonmp_chassis { | ||
| int type; | ||
| diff --git a/tests/check_sonmp.c b/tests/check_sonmp.c | ||
| index 8c7a208..b1f18c8 100644 | ||
| --- a/tests/check_sonmp.c | ||
| +++ b/tests/check_sonmp.c | ||
| @@ -33,7 +33,7 @@ START_TEST (test_send_sonmp) | ||
| IEEE 802.3 Ethernet | ||
| Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:00) | ||
| Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad) | ||
| - Length: 22 | ||
| + Length: 19 | ||
| Logical-Link Control | ||
| DSAP: SNAP (0xaa) | ||
| IG Bit: Individual | ||
| @@ -55,7 +55,7 @@ Nortel Networks / SynOptics Network Management Protocol | ||
| IEEE 802.3 Ethernet | ||
| Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:01) | ||
| Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad) | ||
| - Length: 22 | ||
| + Length: 19 | ||
| Logical-Link Control | ||
| DSAP: SNAP (0xaa) | ||
| IG Bit: Individual | ||
| @@ -76,13 +76,13 @@ Nortel Networks / SynOptics Network Management Protocol | ||
| */ | ||
| char pkt1[] = { | ||
| 0x01, 0x00, 0x81, 0x00, 0x01, 0x00, 0x5e, 0x10, | ||
| - 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa, | ||
| + 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa, | ||
| 0x03, 0x00, 0x00, 0x81, 0x01, 0xa2, 0xac, 0x11, | ||
| 0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03, | ||
| 0x01 }; | ||
| char pkt2[] = { | ||
| 0x01, 0x00, 0x81, 0x00, 0x01, 0x01, 0x5e, 0x10, | ||
| - 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa, | ||
| + 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa, | ||
| 0x03, 0x00, 0x00, 0x81, 0x01, 0xa1, 0xac, 0x11, | ||
| 0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03, | ||
| 0x01 }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters