proto_lldp: prevent accidental out of bounds memory access

Added an integer arithmetic check prior to performing arithmetic to prevent accidental out of bounds memory access. Signed-off-by: Nathaniel Ferguson <nathaniel@leapfrog.foundation> Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
author: Nathaniel Ferguson <nathaniel@leapfrog.foundation> 2020-05-03 03:18:47 -0400
committer: Tobias Klauser <tklauser@distanz.ch> 2020-05-04 14:12:21 +0200
commit: a6abd136b78b3d10b7dbae96574a509329bedb16 (patch)
tree: 546cdb17cb4666fdad589e0ef4e913513a3f0378
parent: 3e69db49e3c0b8e59c80782e6bad3b02336a28d2 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/proto_lldp.c b/proto_lldp.c
index 889169a..3d1e8bf 100644
--- a/proto_lldp.c
+++ b/proto_lldp.c
@@ -399,11 +399,15 @@ static void lldp(struct pkt_buff *pkt)
 			}
 
 			tlv_info_str++;
+
+			if (tlv_len - mgmt_alen < sizeof(uint32_t))
+				goto out_invalid;
 			tprintf(", Iface Number %u", EXTRACT_32BIT(tlv_info_str));
 
 			tlv_info_str += 4;
 			mgmt_oidlen = *tlv_info_str;
-			if (tlv_len - mgmt_alen - sizeof(uint32_t) - 3 < mgmt_oidlen)
+			if (tlv_len - mgmt_alen - sizeof(uint32_t) < 3 ||
+				tlv_len - mgmt_alen - sizeof(uint32_t) - 3 < mgmt_oidlen)
 				goto out_invalid;
 			if (mgmt_oidlen > 0) {
 				tprintf(", OID ");
author	Nathaniel Ferguson <nathaniel@leapfrog.foundation>	2020-05-03 03:18:47 -0400
committer	Tobias Klauser <tklauser@distanz.ch>	2020-05-04 14:12:21 +0200
commit	a6abd136b78b3d10b7dbae96574a509329bedb16 (patch)
tree	546cdb17cb4666fdad589e0ef4e913513a3f0378
parent	3e69db49e3c0b8e59c80782e6bad3b02336a28d2 (diff)