addr_str_buffer is declared without initialization. If addr_str_length is small or zero, reads from the buffer can return stack garbage.
This was found by OSS-Fuzz in upstream lldpd. Reported-at: https://redhat.atlassian.net/browse/FDP-1441 Upstream: https://github.com/lldpd/lldpd/commit/83f0edd Signed-off-by: Timothy Redaelli <[email protected]> --- lib/lldp/lldp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c index 6fdcfef56..959103d4b 100644 --- a/lib/lldp/lldp.c +++ b/lib/lldp/lldp.c @@ -373,7 +373,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, struct lldpd_aa_isid_vlan_maps_tlv *isid_vlan_map = NULL; u_int8_t msg_auth_digest[LLDP_TLV_AA_ISID_VLAN_DIGEST_LENGTH]; struct lldpd_mgmt *mgmt; - u_int8_t addr_str_length, addr_str_buffer[32]; + u_int8_t addr_str_length, addr_str_buffer[32] = { 0 }; u_int8_t addr_family, addr_length, *addr_ptr, iface_subtype; u_int32_t iface_number, iface; -- 2.54.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
