From cecb7c403dc41a5d5287028e32bed7f29c3b6f2e Mon Sep 17 00:00:00 2001
From: Georg Gebauer <georg.gebauer@zeiss.com>
Date: Thu, 25 Apr 2024 17:34:28 +0200
Subject: [PATCH 1/3] lldpd: fix CVE-2023-41910 for kirkstone

Apply changes to match fix of https://github.com/lldpd/lldpd/commit/a9aeabdf879c25c584852a0bb5523837632f099b

More information about issue:
- https://nvd.nist.gov/vuln/detail/CVE-2023-41910

Suggested-by: Vincent Bernat (vincent@bernat.ch)
Signed-off-by: Georg Gebauer <georg.gebauer@zeiss.com>
---
 .../lldpd/files/CVE-2023-41910.patch          | 25 +++++++++++++++++++
 .../recipes-daemons/lldpd/lldpd_1.0.8.bb      | 10 ++++----
 2 files changed, 30 insertions(+), 5 deletions(-)
 create mode 100644 meta-networking/recipes-daemons/lldpd/files/CVE-2023-41910.patch

diff --git a/meta-networking/recipes-daemons/lldpd/files/CVE-2023-41910.patch b/meta-networking/recipes-daemons/lldpd/files/CVE-2023-41910.patch
new file mode 100644
index 00000000000..03fd3233753
--- /dev/null
+++ b/meta-networking/recipes-daemons/lldpd/files/CVE-2023-41910.patch
@@ -0,0 +1,25 @@
+From b961961e5eff35c233a5cb8484d2e51d4b513247 Mon Sep 17 00:00:00 2001
+From: Georg Gebauer <georg.gebauer@zeiss.com>
+Date: Thu, 25 Apr 2024 16:37:25 +0200
+Subject: [PATCH] Fix for CVE-2023-41910 Critical (9.8) issue -  Fix Read
+ overflow when parsing CDP address
+
+References:
+- https://nvd.nist.gov/vuln/detail/CVE-2023-41910
+- https://github.com/lldpd/lldpd/commit/a9aeabdf879c25c584852a0bb5523837632f099b
+---
+ src/daemon/protocols/cdp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/daemon/protocols/cdp.c b/src/daemon/protocols/cdp.c
+index 4a14ff0..c3a7c22 100644
+--- a/src/daemon/protocols/cdp.c
++++ b/src/daemon/protocols/cdp.c
+@@ -483,6 +483,7 @@ cdp_decode(struct lldpd *cfg, char *frame, int s,
+ 					goto malformed;
+ 				}
+ 				PEEK_DISCARD(address_len);
++				addresses_len -= address_len;
+ 				(void)PEEK_SAVE(pos_next_address);
+ 				/* Next, we go back and try to extract
+ 				   IPv4 address */
diff --git a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
index cf2b156fe78..380acbae1f8 100644
--- a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
+++ b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
@@ -5,11 +5,11 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/ISC;md5=f3b90e
 
 DEPENDS = "libbsd libevent"
 
-SRC_URI = "\
-    http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \
-    file://lldpd.init.d \
-    file://lldpd.default \
-    "
+SRC_URI = "http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \
+           file://lldpd.init.d \
+           file://lldpd.default \
+           file://CVE-2023-41910.patch \
+           "
 
 SRC_URI[md5sum] = "000042dbf5b445f750b5ba01ab25c8ba"
 SRC_URI[sha256sum] = "98d200e76e30f6262c4a4493148c1840827898329146a57a34f8f0f928ca3def"

From 5e1dec4fa0e2376c94b60bd002cab92335a17c9f Mon Sep 17 00:00:00 2001
From: Georg Gebauer <georg.gebauer@zeiss.com>
Date: Fri, 26 Apr 2024 08:22:15 +0200
Subject: [PATCH 2/3] lldpd: Fix CVE-2021-43612 heap overflow when reading
 SONMP packages

By sending short SONMP packets, an attacker can make the decoder crash
by reading too much data on the heap. SONMP packets are fixed in size,
just ensure we get the enough bytes to contain a SONMP packet.

References:
* https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7
* https://nvd.nist.gov/vuln/detail/CVE-2021-43612

Suggested-by: Vincent Bernat (vincent@bernat.ch)
CVE: CVE-2021-43612

Signed-off-by: Georg Gebauer <georg.gebauer@zeiss.com>
---
 .../lldpd/files/CVE-2021-43612.patch          | 99 +++++++++++++++++++
 .../recipes-daemons/lldpd/lldpd_1.0.8.bb      |  1 +
 2 files changed, 100 insertions(+)
 create mode 100644 meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch

diff --git a/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch b/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch
new file mode 100644
index 00000000000..e809baeecaf
--- /dev/null
+++ b/meta-networking/recipes-daemons/lldpd/files/CVE-2021-43612.patch
@@ -0,0 +1,99 @@
+From d1a916264c775d4bb42668de57be6645ca79c525 Mon Sep 17 00:00:00 2001
+From: Georg Gebauer <georg.gebauer@zeiss.com>
+Date: Fri, 26 Apr 2024 08:12:42 +0200
+Subject: [PATCH] Fix CVE-2021-43612 heap overflow when reading SONMP packages
+
+By sending short SONMP packets, an attacker can make the decoder crash
+by reading too much data on the heap. SONMP packets are fixed in size,
+just ensure we get the enough bytes to contain a SONMP packet.
+
+References:
+* https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7
+* https://nvd.nist.gov/vuln/detail/CVE-2021-43612
+
+Suggested-by: Vincent Bernat (vincent@bernat.ch)
+CVE: CVE-2021-43612
+---
+ NEWS                         | 2 ++
+ src/daemon/protocols/sonmp.c | 2 +-
+ src/daemon/protocols/sonmp.h | 2 +-
+ tests/check_sonmp.c          | 8 ++++----
+ 4 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 18b059f..d62b86b 100644
+--- a/NEWS
++++ b/NEWS
+@@ -4,6 +4,8 @@ lldpd (1.0.8)
+       liblldpctl for malformed fields.
+     + Fix memory leak when receiving LLDPU with duplicate fields.
+       CVE-2020-27827.
++    + Fix heap overflow when reading SONMP. CVE-2021-43612.
++     Thanks to Jeremy Galindo for discovering this one.
+   * Changes:
+     + Enable "router" capability bit when IPv6 routing is enabled.
+ 
+diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c
+index d2eed15..6c80cb0 100644
+--- a/src/daemon/protocols/sonmp.c
++++ b/src/daemon/protocols/sonmp.c
+@@ -311,7 +311,7 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s,
+ 
+ 	length = s;
+ 	pos = (u_int8_t*)frame;
+-	if (length < SONMP_SIZE) {
++	if (length < SONMP_SIZE + 2*ETHER_ADDR_LEN + sizeof(u_int16_t)) {
+ 		log_warnx("sonmp", "too short SONMP frame received on %s", hardware->h_ifname);
+ 		goto malformed;
+ 	}
+diff --git a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h
+index 0e60106..ff7a720 100644
+--- a/src/daemon/protocols/sonmp.h
++++ b/src/daemon/protocols/sonmp.h
+@@ -24,7 +24,7 @@
+ #define LLC_ORG_NORTEL { 0x00, 0x00, 0x81 }
+ #define LLC_PID_SONMP_HELLO 0x01a2
+ #define LLC_PID_SONMP_FLATNET 0x01a1
+-#define SONMP_SIZE (2*ETHER_ADDR_LEN + sizeof(u_int16_t) + 8)
++#define SONMP_SIZE 19
+ 
+ struct sonmp_chassis {
+ 	int type;
+diff --git a/tests/check_sonmp.c b/tests/check_sonmp.c
+index 8c7a208..b1f18c8 100644
+--- a/tests/check_sonmp.c
++++ b/tests/check_sonmp.c
+@@ -33,7 +33,7 @@ START_TEST (test_send_sonmp)
+ IEEE 802.3 Ethernet 
+     Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:00)
+     Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+-    Length: 22
++    Length: 19
+ Logical-Link Control
+     DSAP: SNAP (0xaa)
+     IG Bit: Individual
+@@ -55,7 +55,7 @@ Nortel Networks / SynOptics Network Management Protocol
+ IEEE 802.3 Ethernet 
+     Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:01)
+     Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+-    Length: 22
++    Length: 19
+ Logical-Link Control
+     DSAP: SNAP (0xaa)
+     IG Bit: Individual
+@@ -76,13 +76,13 @@ Nortel Networks / SynOptics Network Management Protocol
+ 	*/
+ 	char pkt1[] = {
+ 		0x01, 0x00, 0x81, 0x00, 0x01, 0x00, 0x5e, 0x10,
+-		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 		0x03, 0x00, 0x00, 0x81, 0x01, 0xa2, 0xac, 0x11,
+ 		0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 		0x01 };
+ 	char pkt2[] = {
+ 		0x01, 0x00, 0x81, 0x00, 0x01, 0x01, 0x5e, 0x10,
+-		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 		0x03, 0x00, 0x00, 0x81, 0x01, 0xa1, 0xac, 0x11,
+ 		0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 		0x01 };
diff --git a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
index 380acbae1f8..34cde7b9290 100644
--- a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
+++ b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
@@ -9,6 +9,7 @@ SRC_URI = "http://media.luffy.cx/files/${BPN}/${BPN}-${PV}.tar.gz \
            file://lldpd.init.d \
            file://lldpd.default \
            file://CVE-2023-41910.patch \
+           file://CVE-2021-43612.patch \
            "
 
 SRC_URI[md5sum] = "000042dbf5b445f750b5ba01ab25c8ba"

From 30fa1feac54a5a1d4b9a2dcf6719a5adae9a2c9a Mon Sep 17 00:00:00 2001
From: Gebauer <georg.gebauer@zeiss.com>
Date: Tue, 18 Mar 2025 07:45:07 +0100
Subject: [PATCH 3/3] meta-networking lldpd_1.0.8.bb: Add CVE-2021-43612.patch
 to SRC_URI which was overseen by merge

---
 meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
index 0c021ecab7d..2e25c4dfa53 100644
--- a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
+++ b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
@@ -11,6 +11,7 @@ SRC_URI = "\
     file://lldpd.init.d \
     file://lldpd.default \
     file://CVE-2023-41910.patch \
+    file://CVE-2021-43612.patch \
     "
 
 SRC_URI[md5sum] = "000042dbf5b445f750b5ba01ab25c8ba"