From a6abd136b78b3d10b7dbae96574a509329bedb16 Mon Sep 17 00:00:00 2001
From: Nathaniel Ferguson <nathaniel@leapfrog.foundation>
Date: Sun, 3 May 2020 03:18:47 -0400
Subject: proto_lldp: prevent accidental out of bounds memory access

Added an integer arithmetic check prior to performing arithmetic to
prevent accidental out of bounds memory access.

Signed-off-by: Nathaniel Ferguson <nathaniel@leapfrog.foundation>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
---
 proto_lldp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/proto_lldp.c b/proto_lldp.c
index 889169a..3d1e8bf 100644
--- a/proto_lldp.c
+++ b/proto_lldp.c
@@ -399,11 +399,15 @@ static void lldp(struct pkt_buff *pkt)
 			}
 
 			tlv_info_str++;
+
+			if (tlv_len - mgmt_alen < sizeof(uint32_t))
+				goto out_invalid;
 			tprintf(", Iface Number %u", EXTRACT_32BIT(tlv_info_str));
 
 			tlv_info_str += 4;
 			mgmt_oidlen = *tlv_info_str;
-			if (tlv_len - mgmt_alen - sizeof(uint32_t) - 3 < mgmt_oidlen)
+			if (tlv_len - mgmt_alen - sizeof(uint32_t) < 3 ||
+				tlv_len - mgmt_alen - sizeof(uint32_t) - 3 < mgmt_oidlen)
 				goto out_invalid;
 			if (mgmt_oidlen > 0) {
 				tprintf(", OID ");
-- 
cgit v1.2.3-54-g00ecf