diff mbox series

[meta-networking,kirkstone,5/5] lldpd: patch CVE-2021-43612

Message ID 20260104103843.3450950-5-skandigraun@gmail.com
State New
Headers show
Series [meta-oe,kirkstone,1/5] xdg-user-dirs: upgrade 0.17 -> 0.18 | expand

Commit Message

Gyorgy Sarvari Jan. 4, 2026, 10:38 a.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-43612

Pick the patch referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../lldpd/files/CVE-2021-43612.patch          | 93 +++++++++++++++++++
 .../recipes-daemons/lldpd/lldpd_1.0.8.bb      | 12 +--
 2 files changed, 99 insertions(+), 6 deletions(-)
 create mode 100644 meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch b/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch
new file mode 100644
index 0000000000..30d416d769
--- /dev/null
+++ b/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch
@@ -0,0 +1,93 @@ 
+From 97ea7541a12540fa6680058f09d47be451275725 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.ch>
+Date: Sun, 19 Sep 2021 21:18:47 +0200
+Subject: [PATCH] sonmp: fix heap overflow when reading SONMP packets
+
+By sending short SONMP packets, an attacker can make the decoder crash
+by reading too much data on the heap. SONMP packets are fixed in size,
+just ensure we get the enough bytes to contain a SONMP packet.
+
+CVE-2021-43612
+
+CVE: CVE-2021-43612
+Upstream-Status: Backport [https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/daemon/protocols/sonmp.c |  2 +-
+ src/daemon/protocols/sonmp.h |  2 +-
+ tests/check_sonmp.c          | 10 +++++-----
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c
+index d2eed15..6c80cb0 100644
+--- a/src/daemon/protocols/sonmp.c
++++ b/src/daemon/protocols/sonmp.c
+@@ -311,7 +311,7 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s,
+ 
+ 	length = s;
+ 	pos = (u_int8_t*)frame;
+-	if (length < SONMP_SIZE) {
++	if (length < SONMP_SIZE + 2*ETHER_ADDR_LEN + sizeof(u_int16_t)) {
+ 		log_warnx("sonmp", "too short SONMP frame received on %s", hardware->h_ifname);
+ 		goto malformed;
+ 	}
+diff --git a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h
+index 0e60106..ff7a720 100644
+--- a/src/daemon/protocols/sonmp.h
++++ b/src/daemon/protocols/sonmp.h
+@@ -24,7 +24,7 @@
+ #define LLC_ORG_NORTEL { 0x00, 0x00, 0x81 }
+ #define LLC_PID_SONMP_HELLO 0x01a2
+ #define LLC_PID_SONMP_FLATNET 0x01a1
+-#define SONMP_SIZE (2*ETHER_ADDR_LEN + sizeof(u_int16_t) + 8)
++#define SONMP_SIZE 19
+ 
+ struct sonmp_chassis {
+ 	int type;
+diff --git a/tests/check_sonmp.c b/tests/check_sonmp.c
+index 8c7a208..b25f0e2 100644
+--- a/tests/check_sonmp.c
++++ b/tests/check_sonmp.c
+@@ -33,7 +33,7 @@ START_TEST (test_send_sonmp)
+ IEEE 802.3 Ethernet 
+     Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:00)
+     Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+-    Length: 22
++    Length: 19
+ Logical-Link Control
+     DSAP: SNAP (0xaa)
+     IG Bit: Individual
+@@ -55,7 +55,7 @@ Nortel Networks / SynOptics Network Management Protocol
+ IEEE 802.3 Ethernet 
+     Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:01)
+     Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+-    Length: 22
++    Length: 19
+ Logical-Link Control
+     DSAP: SNAP (0xaa)
+     IG Bit: Individual
+@@ -76,13 +76,13 @@ Nortel Networks / SynOptics Network Management Protocol
+ 	*/
+ 	char pkt1[] = {
+ 		0x01, 0x00, 0x81, 0x00, 0x01, 0x00, 0x5e, 0x10,
+-		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 		0x03, 0x00, 0x00, 0x81, 0x01, 0xa2, 0xac, 0x11,
+ 		0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 		0x01 };
+ 	char pkt2[] = {
+ 		0x01, 0x00, 0x81, 0x00, 0x01, 0x01, 0x5e, 0x10,
+-		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 		0x03, 0x00, 0x00, 0x81, 0x01, 0xa1, 0xac, 0x11,
+ 		0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 		0x01 };
+@@ -99,7 +99,7 @@ Nortel Networks / SynOptics Network Management Protocol
+ 	chassis.c_id_len = ETHER_ADDR_LEN;
+ 	TAILQ_INIT(&chassis.c_mgmt);
+ 	addr = inet_addr("172.17.142.37");
+-	mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4, 
++	mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4,
+ 				&addr, sizeof(in_addr_t), 0);
+ 	if (mgmt == NULL)
+ 		ck_abort();
diff --git a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
index 022bb62dd8..34cde7b929 100644
--- a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
+++ b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
@@ -5,12 +5,12 @@  LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/ISC;md5=f3b90e
 
 DEPENDS = "libbsd libevent"
 
-SRC_URI = "\
-    http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \
-    file://lldpd.init.d \
-    file://lldpd.default \
-    file://CVE-2023-41910.patch \
-    "
+SRC_URI = "http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \
+           file://lldpd.init.d \
+           file://lldpd.default \
+           file://CVE-2023-41910.patch \
+           file://CVE-2021-43612.patch \
+           "
 
 SRC_URI[md5sum] = "000042dbf5b445f750b5ba01ab25c8ba"
 SRC_URI[sha256sum] = "98d200e76e30f6262c4a4493148c1840827898329146a57a34f8f0f928ca3def"