diff options
author | Filipe Brandenburger <filbranden@google.com> | 2018-06-07 22:46:32 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-06-08 08:54:25 +0200 |
commit | d23c3e4c28f21b2f6543747d62e289ed4085458f (patch) | |
tree | f9aeaa3e65b2a38b0e48862e5ee2660dccd5c74a /src/network | |
parent | networkd: add missing _cleanup_ in prefix_new (diff) | |
download | systemd-d23c3e4c28f21b2f6543747d62e289ed4085458f.tar.xz systemd-d23c3e4c28f21b2f6543747d62e289ed4085458f.zip |
lldp: check that lldp neighbor raw data size is in expected range
This fixes an insecure use of tainted data as argument to functions that
allocate memory and read from files, which could be tricked into getting
networkctl to allocate a large amount of memory and fill it with file
data.
This was uncovered by Coverity. Fixes CID 1393254.
Diffstat (limited to 'src/network')
-rw-r--r-- | src/network/networkctl.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/network/networkctl.c b/src/network/networkctl.c index 29899a9ba7..ccfab40b4d 100644 --- a/src/network/networkctl.c +++ b/src/network/networkctl.c @@ -636,6 +636,10 @@ static int next_lldp_neighbor(FILE *f, sd_lldp_neighbor **ret) { if (l != sizeof(u)) return -EBADMSG; + /* each LLDP packet is at most MTU size, but let's allow up to 4KiB just in case */ + if (le64toh(u) >= 4096) + return -EBADMSG; + raw = new(uint8_t, le64toh(u)); if (!raw) return -ENOMEM; |