Per the comment in the review https://gerrit.fd.io/r/#/c/14842/1/src/plugins/cdp/cdp_input.c I think there's a problem with the CDP code's bounds checking.  Firstly, it doesn't appear to check that the TLV header it's about to read lies within the packet (or, should it matter, that it's aligned suitably).  Secondly, it doesn't check that the TLV whose length it reads lies within the packet.

This would only come up with malformed link-local packets and so would be hard to exploit, but a suitably crafted packet could scribble memory (since the CDP code uses the memory as scratch space).