An out-of-bounds read vulnerability exists due to a boundary error when reading SONMP packets. A remote user can send specially crafted packets to the application, trigger a heap-based buffer overflow read and leak memory values from lldpd application or crash it. Reference: https://www.cybersecurity-help.cz/vdb/SB2021111808 https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7 https://lldpd.github.io/security.html
Created lldpd tracking bugs for this issue: Affects: epel-7 [bug 2040391] Affects: fedora-all [bug 2040390]
Upstream patch commit: https://github.com/lldpd/lldpd/commit/73d42680fce8598324364dbb31b9bc3b8320adf7
In sonmp.c:sonmp_decode() there is the following code, where some bytes outside of the heap-allocated buffer can be read: ```C PEEK_BYTES(&address, sizeof(struct in_addr)); memcpy(chassis->c_id + 1, &address, sizeof(struct in_addr)); if (asprintf(&chassis->c_name, "%s", inet_ntoa(address)) == -1) { log_warnx("sonmp", "unable to write chassis name for %s", hardware->h_ifname); goto malformed; } PEEK_BYTES(seg, sizeof(seg)); rchassis = PEEK_UINT8; ``` Where PEEK_* functions just read from the packet and adjust the `pos` pointer and the `length` value accordingly to the number of bytes that were read. The values `address`, `seg` and `rchassis` do not seem to be used in any dangerous way that could allow the wrongly read values to alter the execution of the program. By looking at the code mentioned above and the commit message of the upstream patch, this is rather an out-of-bound read on the heap, which may be used to leak values from the memory of the program or, under special conditions, crash the program. Thus the Impact of this flaw is set to Moderate and the CVSS is set to 7.3/CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. In particular, Attack Vector is set to Adjacent (AV:A) as lldpd involves link layer protocols and require an attacker to be adjacent to the victim system; Confidentiality is set to High (C:H) because the values read out-of-bounds could be used to construct other packets that an attacker may read; Availability set to High (A:H) as we could not exclude the out-of-bounds read would result in a crash of lldpd when reading invalid memory.