lldpd: fix CVE-2023-41910 and CVE-2021-43612 for kirkstone (CVE-Score 9.8 and 7.5)

meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch

@@ -0,0 +1,99 @@
+From d1a916264c775d4bb42668de57be6645ca79c525 Mon Sep 17 00:00:00 2001
+From: Georg Gebauer <georg.gebauer@zeiss.com>
+Date: Fri, 26 Apr 2024 08:12:42 +0200
+Subject: [PATCH] Fix CVE-2021-43612 heap overflow when reading SONMP packages
+
+By sending short SONMP packets, an attacker can make the decoder crash
+by reading too much data on the heap. SONMP packets are fixed in size,
+just ensure we get the enough bytes to contain a SONMP packet.
+
+References:
+* https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7
+* https://nvd.nist.gov/vuln/detail/CVE-2021-43612
+
+Suggested-by: Vincent Bernat (vincent@bernat.ch)
+CVE: CVE-2021-43612
+---
+ NEWS                         | 2 ++
+ src/daemon/protocols/sonmp.c | 2 +-
+ src/daemon/protocols/sonmp.h | 2 +-
+ tests/check_sonmp.c          | 8 ++++----
+ 4 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 18b059f..d62b86b 100644
+--- a/NEWS
++++ b/NEWS
+@@ -4,6 +4,8 @@ lldpd (1.0.8)
+       liblldpctl for malformed fields.
+     + Fix memory leak when receiving LLDPU with duplicate fields.
+       CVE-2020-27827.
++    + Fix heap overflow when reading SONMP. CVE-2021-43612.
++     Thanks to Jeremy Galindo for discovering this one.
+   * Changes:
+     + Enable "router" capability bit when IPv6 routing is enabled.
+
+diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c
+index d2eed15..6c80cb0 100644
+--- a/src/daemon/protocols/sonmp.c
++++ b/src/daemon/protocols/sonmp.c
+@@ -311,7 +311,7 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s,
+
+ 	length = s;
+ 	pos = (u_int8_t*)frame;
+-	if (length < SONMP_SIZE) {
++	if (length < SONMP_SIZE + 2*ETHER_ADDR_LEN + sizeof(u_int16_t)) {
+ 		log_warnx("sonmp", "too short SONMP frame received on %s", hardware->h_ifname);
+ 		goto malformed;
+ 	}
+diff --git a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h
+index 0e60106..ff7a720 100644
+--- a/src/daemon/protocols/sonmp.h
++++ b/src/daemon/protocols/sonmp.h
+@@ -24,7 +24,7 @@
+ #define LLC_ORG_NORTEL { 0x00, 0x00, 0x81 }
+ #define LLC_PID_SONMP_HELLO 0x01a2
+ #define LLC_PID_SONMP_FLATNET 0x01a1
+-#define SONMP_SIZE (2*ETHER_ADDR_LEN + sizeof(u_int16_t) + 8)
++#define SONMP_SIZE 19
+
+ struct sonmp_chassis {
+ 	int type;
+diff --git a/tests/check_sonmp.c b/tests/check_sonmp.c
+index 8c7a208..b1f18c8 100644
+--- a/tests/check_sonmp.c
++++ b/tests/check_sonmp.c
+@@ -33,7 +33,7 @@ START_TEST (test_send_sonmp)
+ IEEE 802.3 Ethernet 
+     Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:00)
+     Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+-    Length: 22
++    Length: 19
+ Logical-Link Control
+     DSAP: SNAP (0xaa)
+     IG Bit: Individual
+@@ -55,7 +55,7 @@ Nortel Networks / SynOptics Network Management Protocol
+ IEEE 802.3 Ethernet 
+     Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:01)
+     Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+-    Length: 22
++    Length: 19
+ Logical-Link Control
+     DSAP: SNAP (0xaa)
+     IG Bit: Individual
+@@ -76,13 +76,13 @@ Nortel Networks / SynOptics Network Management Protocol
+ 	*/
+ 	char pkt1[] = {
+ 		0x01, 0x00, 0x81, 0x00, 0x01, 0x00, 0x5e, 0x10,
+-		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 		0x03, 0x00, 0x00, 0x81, 0x01, 0xa2, 0xac, 0x11,
+ 		0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 		0x01 };
+ 	char pkt2[] = {
+ 		0x01, 0x00, 0x81, 0x00, 0x01, 0x01, 0x5e, 0x10,
+-		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 		0x03, 0x00, 0x00, 0x81, 0x01, 0xa1, 0xac, 0x11,
+ 		0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 		0x01 };

meta-networking/recipes-daemons/lldpd/files/CVE-2023-41910.patch

@@ -0,0 +1,25 @@
+From b961961e5eff35c233a5cb8484d2e51d4b513247 Mon Sep 17 00:00:00 2001
+From: Georg Gebauer <georg.gebauer@zeiss.com>
+Date: Thu, 25 Apr 2024 16:37:25 +0200
+Subject: [PATCH] Fix for CVE-2023-41910 Critical (9.8) issue -  Fix Read
+ overflow when parsing CDP address
+
+References:
+- https://nvd.nist.gov/vuln/detail/CVE-2023-41910
+- https://github.com/lldpd/lldpd/commit/a9aeabdf879c25c584852a0bb5523837632f099b
+---
+ src/daemon/protocols/cdp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/daemon/protocols/cdp.c b/src/daemon/protocols/cdp.c
+index 4a14ff0..c3a7c22 100644
+--- a/src/daemon/protocols/cdp.c
++++ b/src/daemon/protocols/cdp.c
+@@ -483,6 +483,7 @@ cdp_decode(struct lldpd *cfg, char *frame, int s,
+ 					goto malformed;
+ 				}
+ 				PEEK_DISCARD(address_len);
++				addresses_len -= address_len;
+ 				(void)PEEK_SAVE(pos_next_address);
+ 				/* Next, we go back and try to extract
+ 				   IPv4 address */

meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb

@@ -5,11 +5,12 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/ISC;md5=f3b90e
 
 DEPENDS = "libbsd libevent"
 
-SRC_URI = "\
-    http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \
-    file://lldpd.init.d \
-    file://lldpd.default \
-    "
+SRC_URI = "http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \
+           file://lldpd.init.d \
+           file://lldpd.default \
+           file://CVE-2023-41910.patch \
+           file://CVE-2021-43612.patch \
+           "
 
 SRC_URI[md5sum] = "000042dbf5b445f750b5ba01ab25c8ba"
 SRC_URI[sha256sum] = "98d200e76e30f6262c4a4493148c1840827898329146a57a34f8f0f928ca3def"