Fix CVE-2021-43612 heap overflow when reading SONMP packages

GeorgGebauer-CZ · GeorgGebauer-CZ · commit 586358c29b79 · 2024-04-26T08:22:15.000+02:00
By sending short SONMP packets, an attacker can make the decoder crash by reading too much data on the heap. SONMP packets are fixed in size, just ensure we get the enough bytes to contain a SONMP packet. References: * lldpd/lldpd@73d4268 * https://nvd.nist.gov/vuln/detail/CVE-2021-43612 Suggested-by: Vincent Bernat (vincent@bernat.ch) CVE: CVE-2021-43612 Signed-off-by: Georg Gebauer <georg.gebauer@zeiss.com>
diff --git a/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch b/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch
@@ -0,0 +1,99 @@
+From d1a916264c775d4bb42668de57be6645ca79c525 Mon Sep 17 00:00:00 2001
+From: Georg Gebauer <georg.gebauer@zeiss.com>
+Date: Fri, 26 Apr 2024 08:12:42 +0200
+Subject: [PATCH] Fix CVE-2021-43612 heap overflow when reading SONMP packages
+
+By sending short SONMP packets, an attacker can make the decoder crash
+by reading too much data on the heap. SONMP packets are fixed in size,
+just ensure we get the enough bytes to contain a SONMP packet.
+
+References:
+* https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7
+* https://nvd.nist.gov/vuln/detail/CVE-2021-43612
+
+Suggested-by: Vincent Bernat (vincent@bernat.ch)
+CVE: CVE-2021-43612
+---
+ NEWS                         | 2 ++
+ src/daemon/protocols/sonmp.c | 2 +-
+ src/daemon/protocols/sonmp.h | 2 +-
+ tests/check_sonmp.c          | 8 ++++----
+ 4 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 18b059f..d62b86b 100644
+--- a/NEWS
++++ b/NEWS
+@@ -4,6 +4,8 @@ lldpd (1.0.8)
+       liblldpctl for malformed fields.
+     + Fix memory leak when receiving LLDPU with duplicate fields.
+       CVE-2020-27827.
++    + Fix heap overflow when reading SONMP. CVE-2021-43612.
++     Thanks to Jeremy Galindo for discovering this one.
+   * Changes:
+     + Enable "router" capability bit when IPv6 routing is enabled.
+ 
+diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c
+index d2eed15..6c80cb0 100644
+--- a/src/daemon/protocols/sonmp.c
++++ b/src/daemon/protocols/sonmp.c
+@@ -311,7 +311,7 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s,
+ 
+ 	length = s;
+ 	pos = (u_int8_t*)frame;
+-	if (length < SONMP_SIZE) {
++	if (length < SONMP_SIZE + 2*ETHER_ADDR_LEN + sizeof(u_int16_t)) {
+ 		log_warnx("sonmp", "too short SONMP frame received on %s", hardware->h_ifname);
+ 		goto malformed;
+ 	}
+diff --git a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h
+index 0e60106..ff7a720 100644
+--- a/src/daemon/protocols/sonmp.h
++++ b/src/daemon/protocols/sonmp.h
+@@ -24,7 +24,7 @@
+ #define LLC_ORG_NORTEL { 0x00, 0x00, 0x81 }
+ #define LLC_PID_SONMP_HELLO 0x01a2
+ #define LLC_PID_SONMP_FLATNET 0x01a1
+-#define SONMP_SIZE (2*ETHER_ADDR_LEN + sizeof(u_int16_t) + 8)
++#define SONMP_SIZE 19
+ 
+ struct sonmp_chassis {
+ 	int type;
+diff --git a/tests/check_sonmp.c b/tests/check_sonmp.c
+index 8c7a208..b1f18c8 100644
+--- a/tests/check_sonmp.c
++++ b/tests/check_sonmp.c
+@@ -33,7 +33,7 @@ START_TEST (test_send_sonmp)
+ IEEE 802.3 Ethernet 
+     Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:00)
+     Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+-    Length: 22
++    Length: 19
+ Logical-Link Control
+     DSAP: SNAP (0xaa)
+     IG Bit: Individual
+@@ -55,7 +55,7 @@ Nortel Networks / SynOptics Network Management Protocol
+ IEEE 802.3 Ethernet 
+     Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:01)
+     Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+-    Length: 22
++    Length: 19
+ Logical-Link Control
+     DSAP: SNAP (0xaa)
+     IG Bit: Individual
+@@ -76,13 +76,13 @@ Nortel Networks / SynOptics Network Management Protocol
+ 	*/
+ 	char pkt1[] = {
+ 		0x01, 0x00, 0x81, 0x00, 0x01, 0x00, 0x5e, 0x10,
+-		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 		0x03, 0x00, 0x00, 0x81, 0x01, 0xa2, 0xac, 0x11,
+ 		0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 		0x01 };
+ 	char pkt2[] = {
+ 		0x01, 0x00, 0x81, 0x00, 0x01, 0x01, 0x5e, 0x10,
+-		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 		0x03, 0x00, 0x00, 0x81, 0x01, 0xa1, 0xac, 0x11,
+ 		0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 		0x01 };
diff --git a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
@@ -9,6 +9,7 @@ SRC_URI = "http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \
            file://lldpd.init.d \
            file://lldpd.default \
            file://CVE-2023-41910.patch \
+           file://CVE-2021-43612.patch \
            "
 
 SRC_URI[md5sum] = "000042dbf5b445f750b5ba01ab25c8ba"

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ SRC_URI = "http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \`
`9`	`9`	`file://lldpd.init.d \`
`10`	`10`	`file://lldpd.default \`
`11`	`11`	`file://CVE-2023-41910.patch \`
	`12`	`+ file://CVE-2021-43612.patch \`
`12`	`13`	`"`
`13`	`14`
`14`	`15`	`SRC_URI[md5sum] = "000042dbf5b445f750b5ba01ab25c8ba"`