lldpd: patch CVE-2021-43612

Details: https://nvd.nist.gov/vuln/detail/CVE-2021-43612 Pick the patch referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-04 10:12:51 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-08 22:03:03 +0100
commit: 60f0e23124054f06fb5f668cdc98e09af4d59a9c (patch)
tree: a73ba3819d340b4d2e3959a9f2ebc98cc85f3d10 /meta-networking
parent: 80ed7802adcfa69a0656ded30fa3da94353aba46 (diff)
download: meta-openembedded-60f0e23124054f06fb5f668cdc98e09af4d59a9c.tar.gz
2 files changed, 99 insertions, 6 deletions
diff --git a/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch b/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch
new file mode 100644
index 0000000000..30d416d769
--- /dev/null
+++ b/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch
@@ -0,0 +1,93 @@
+From 97ea7541a12540fa6680058f09d47be451275725 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.ch>
+Date: Sun, 19 Sep 2021 21:18:47 +0200
+Subject: [PATCH] sonmp: fix heap overflow when reading SONMP packets
+By sending short SONMP packets, an attacker can make the decoder crash
+by reading too much data on the heap. SONMP packets are fixed in size,
+just ensure we get the enough bytes to contain a SONMP packet.
+CVE-2021-43612
+CVE: CVE-2021-43612
+Upstream-Status: Backport [https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/daemon/protocols/sonmp.c |  2 +-
+ src/daemon/protocols/sonmp.h |  2 +-
+ tests/check_sonmp.c          | 10 +++++-----
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c
+index d2eed15..6c80cb0 100644
+--- a/src/daemon/protocols/sonmp.c
+++ b/src/daemon/protocols/sonmp.c
+@@ -311,7 +311,7 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s,
+ 
+        length = s;
+        pos = (u_int8_t*)frame;
+-       if (length < SONMP_SIZE) {
+       if (length < SONMP_SIZE + 2*ETHER_ADDR_LEN + sizeof(u_int16_t)) {
+                log_warnx("sonmp", "too short SONMP frame received on %s", hardware->h_ifname);
+                goto malformed;
+        }
+diff --git a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h
+index 0e60106..ff7a720 100644
+--- a/src/daemon/protocols/sonmp.h
+++ b/src/daemon/protocols/sonmp.h
+@@ -24,7 +24,7 @@
+ #define LLC_ORG_NORTEL { 0x00, 0x00, 0x81 }
+ #define LLC_PID_SONMP_HELLO 0x01a2
+ #define LLC_PID_SONMP_FLATNET 0x01a1
+-#define SONMP_SIZE (2*ETHER_ADDR_LEN + sizeof(u_int16_t) + 8)
+#define SONMP_SIZE 19
+ 
+ struct sonmp_chassis {
+        int type;
+diff --git a/tests/check_sonmp.c b/tests/check_sonmp.c
+index 8c7a208..b25f0e2 100644
+--- a/tests/check_sonmp.c
+++ b/tests/check_sonmp.c
+@@ -33,7 +33,7 @@ START_TEST (test_send_sonmp)
+ IEEE 802.3 Ethernet 
+     Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:00)
+     Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+-    Length: 22
+    Length: 19
+ Logical-Link Control
+     DSAP: SNAP (0xaa)
+     IG Bit: Individual
+@@ -55,7 +55,7 @@ Nortel Networks / SynOptics Network Management Protocol
+ IEEE 802.3 Ethernet 
+     Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:01)
+     Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+-    Length: 22
+    Length: 19
+ Logical-Link Control
+     DSAP: SNAP (0xaa)
+     IG Bit: Individual
+@@ -76,13 +76,13 @@ Nortel Networks / SynOptics Network Management Protocol
+        */
+        char pkt1[] = {
+                0x01, 0x00, 0x81, 0x00, 0x01, 0x00, 0x5e, 0x10,
+-               0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
+               0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+                0x03, 0x00, 0x00, 0x81, 0x01, 0xa2, 0xac, 0x11,
+                0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+                0x01 };
+        char pkt2[] = {
+                0x01, 0x00, 0x81, 0x00, 0x01, 0x01, 0x5e, 0x10,
+-               0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
+               0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+                0x03, 0x00, 0x00, 0x81, 0x01, 0xa1, 0xac, 0x11,
+                0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+                0x01 };
+@@ -99,7 +99,7 @@ Nortel Networks / SynOptics Network Management Protocol
+        chassis.c_id_len = ETHER_ADDR_LEN;
+        TAILQ_INIT(&chassis.c_mgmt);
+        addr = inet_addr("172.17.142.37");
+-       mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4, 
+       mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4,
+                                &addr, sizeof(in_addr_t), 0);
+        if (mgmt == NULL)
+                ck_abort();
diff --git a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
index 022bb62dd8..34cde7b929 100644
--- a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
+++ b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
@@ -5,12 +5,12 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/ISC;md5=f3b90e
 DEPENDS = "libbsd libevent"
-SRC_URI = "\
+SRC_URI = "http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \
-    http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \
+           file://lldpd.init.d \
-    file://lldpd.init.d \
+           file://lldpd.default \
-    file://lldpd.default \
+           file://CVE-2023-41910.patch \
-    file://CVE-2023-41910.patch \
+           file://CVE-2021-43612.patch \
-    "
+           "
 SRC_URI[md5sum] = "000042dbf5b445f750b5ba01ab25c8ba"
 SRC_URI[sha256sum] = "98d200e76e30f6262c4a4493148c1840827898329146a57a34f8f0f928ca3def"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-04 10:12:51 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-08 22:03:03 +0100
commit	60f0e23124054f06fb5f668cdc98e09af4d59a9c (patch)
tree	a73ba3819d340b4d2e3959a9f2ebc98cc85f3d10 /meta-networking
parent	80ed7802adcfa69a0656ded30fa3da94353aba46 (diff)
download	meta-openembedded-60f0e23124054f06fb5f668cdc98e09af4d59a9c.tar.gz

diff --git a/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch b/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch new file mode 100644 index 0000000000..30d416d769 --- /dev/null +++ b/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch
@@ -0,0 +1,93 @@
		1	From 97ea7541a12540fa6680058f09d47be451275725 Mon Sep 17 00:00:00 2001
		2	From: Vincent Bernat <vincent@bernat.ch>
		3	Date: Sun, 19 Sep 2021 21:18:47 +0200
		4	Subject: [PATCH] sonmp: fix heap overflow when reading SONMP packets
		5
		6	By sending short SONMP packets, an attacker can make the decoder crash
		7	by reading too much data on the heap. SONMP packets are fixed in size,
		8	just ensure we get the enough bytes to contain a SONMP packet.
		9
		10	CVE-2021-43612
		11
		12	CVE: CVE-2021-43612
		13	Upstream-Status: Backport [https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7]
		14	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		15	---
		16	src/daemon/protocols/sonmp.c \| 2 +-
		17	src/daemon/protocols/sonmp.h \| 2 +-
		18	tests/check_sonmp.c \| 10 +++++-----
		19	3 files changed, 7 insertions(+), 7 deletions(-)
		20
		21	diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c
		22	index d2eed15..6c80cb0 100644
		23	--- a/src/daemon/protocols/sonmp.c
		24	+++ b/src/daemon/protocols/sonmp.c
		25	@@ -311,7 +311,7 @@ sonmp_decode(struct lldpd cfg, char frame, int s,
		26
		27	length = s;
		28	pos = (u_int8_t*)frame;
		29	- if (length < SONMP_SIZE) {
		30	+ if (length < SONMP_SIZE + 2*ETHER_ADDR_LEN + sizeof(u_int16_t)) {
		31	log_warnx("sonmp", "too short SONMP frame received on %s", hardware->h_ifname);
		32	goto malformed;
		33	}
		34	diff --git a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h
		35	index 0e60106..ff7a720 100644
		36	--- a/src/daemon/protocols/sonmp.h
		37	+++ b/src/daemon/protocols/sonmp.h
		38	@@ -24,7 +24,7 @@
		39	#define LLC_ORG_NORTEL { 0x00, 0x00, 0x81 }
		40	#define LLC_PID_SONMP_HELLO 0x01a2
		41	#define LLC_PID_SONMP_FLATNET 0x01a1
		42	-#define SONMP_SIZE (2*ETHER_ADDR_LEN + sizeof(u_int16_t) + 8)
		43	+#define SONMP_SIZE 19
		44
		45	struct sonmp_chassis {
		46	int type;
		47	diff --git a/tests/check_sonmp.c b/tests/check_sonmp.c
		48	index 8c7a208..b25f0e2 100644
		49	--- a/tests/check_sonmp.c
		50	+++ b/tests/check_sonmp.c
		51	@@ -33,7 +33,7 @@ START_TEST (test_send_sonmp)
		52	IEEE 802.3 Ethernet
		53	Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:00)
		54	Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
		55	- Length: 22
		56	+ Length: 19
		57	Logical-Link Control
		58	DSAP: SNAP (0xaa)
		59	IG Bit: Individual
		60	@@ -55,7 +55,7 @@ Nortel Networks / SynOptics Network Management Protocol
		61	IEEE 802.3 Ethernet
		62	Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:01)
		63	Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
		64	- Length: 22
		65	+ Length: 19
		66	Logical-Link Control
		67	DSAP: SNAP (0xaa)
		68	IG Bit: Individual
		69	@@ -76,13 +76,13 @@ Nortel Networks / SynOptics Network Management Protocol
		70	*/
		71	char pkt1[] = {
		72	0x01, 0x00, 0x81, 0x00, 0x01, 0x00, 0x5e, 0x10,
		73	- 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
		74	+ 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
		75	0x03, 0x00, 0x00, 0x81, 0x01, 0xa2, 0xac, 0x11,
		76	0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
		77	0x01 };
		78	char pkt2[] = {
		79	0x01, 0x00, 0x81, 0x00, 0x01, 0x01, 0x5e, 0x10,
		80	- 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
		81	+ 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
		82	0x03, 0x00, 0x00, 0x81, 0x01, 0xa1, 0xac, 0x11,
		83	0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
		84	0x01 };
		85	@@ -99,7 +99,7 @@ Nortel Networks / SynOptics Network Management Protocol
		86	chassis.c_id_len = ETHER_ADDR_LEN;
		87	TAILQ_INIT(&chassis.c_mgmt);
		88	addr = inet_addr("172.17.142.37");
		89	- mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4,
		90	+ mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4,
		91	&addr, sizeof(in_addr_t), 0);
		92	if (mgmt == NULL)
		93	ck_abort();


diff --git a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb index 022bb62dd8..34cde7b929 100644 --- a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb +++ b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
@@ -5,12 +5,12 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/ISC;md5=f3b90e
5		5
6	DEPENDS = "libbsd libevent"	6	DEPENDS = "libbsd libevent"
7		7
8	SRC_URI = "\	8	SRC_URI = "http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \
9	http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \	9	file://lldpd.init.d \
10	file://lldpd.init.d \	10	file://lldpd.default \
11	file://lldpd.default \	11	file://CVE-2023-41910.patch \
12	file://CVE-2023-41910.patch \	12	file://CVE-2021-43612.patch \
13	"	13	"
14		14
15	SRC_URI[md5sum] = "000042dbf5b445f750b5ba01ab25c8ba"	15	SRC_URI[md5sum] = "000042dbf5b445f750b5ba01ab25c8ba"
16	SRC_URI[sha256sum] = "98d200e76e30f6262c4a4493148c1840827898329146a57a34f8f0f928ca3def"	16	SRC_URI[sha256sum] = "98d200e76e30f6262c4a4493148c1840827898329146a57a34f8f0f928ca3def"