lldp: check that lldp neighbor raw data size is in expected range

This fixes an insecure use of tainted data as argument to functions that allocate memory and read from files, which could be tricked into getting networkctl to allocate a large amount of memory and fill it with file data. This was uncovered by Coverity. Fixes CID 1393254.
2018-06-07 13:46:32 -07:00 · 2018-06-07 13:46:32 -07:00 · d23c3e4c28
parent 15b8332e7c
commit d23c3e4c28
1 changed files with 4 additions and 0 deletions
--- a/src/network/networkctl.c
+++ b/src/network/networkctl.c
@ -636,6 +636,10 @@ static int next_lldp_neighbor(FILE *f, sd_lldp_neighbor **ret) {
        if (l != sizeof(u))
                return -EBADMSG;

+        /* each LLDP packet is at most MTU size, but let's allow up to 4KiB just in case */
+        if (le64toh(u) >= 4096)
+                return -EBADMSG;
+
        raw = new(uint8_t, le64toh(u));
        if (!raw)
                return -ENOMEM;