dhcp6: add missing option length check

author Yu Watanabe <watanabe.yu+github@gmail.com>

Tue, 17 Sep 2019 13:18:49 +0000 (22:18 +0900)

committer Frantisek Sumsal <frantisek@sumsal.cz>

Tue, 17 Sep 2019 18:29:20 +0000 (18:29 +0000)
author Yu Watanabe <watanabe.yu+github@gmail.com>
Tue, 17 Sep 2019 13:18:49 +0000 (22:18 +0900)
committer Frantisek Sumsal <frantisek@sumsal.cz>
Tue, 17 Sep 2019 18:29:20 +0000 (18:29 +0000)
diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c

index 7dab776b7295d2dc63faf0ed192fbd3e90980782..5a3b0a6353bd851694ea7804f32dd4543528933f 100644 (file)
--- a/src/libsystemd-network/sd-dhcp6-client.c
+++ b/src/libsystemd-network/sd-dhcp6-client.c
@@ -29,8 +29,8 @@
  
  #define MAX_MAC_ADDR_LEN INFINIBAND_ALEN
  
-#define IRT_DEFAULT 1 * USEC_PER_DAY
-#define IRT_MINIMUM 600 * USEC_PER_SEC
+#define IRT_DEFAULT (1 * USEC_PER_DAY)
+#define IRT_MINIMUM (600 * USEC_PER_SEC)
  
  /* what to request from the server, addresses (IA_NA) and/or prefixes (IA_PD) */
  enum {
@@ -1002,6 +1002,9 @@ static int client_parse_message(
                          break;
  
                  case SD_DHCP6_OPTION_INFORMATION_REFRESH_TIME:
+                        if (optlen != 4)
+                                return -EINVAL;
+
                          irt = be32toh(*(be32_t *) optval) * USEC_PER_SEC;
                          break;
                  }
diff --git a/test/fuzz/fuzz-dhcp6-client/crash-13578 b/test/fuzz/fuzz-dhcp6-client/crash-13578

new file mode 100644 (file)

index 0000000..0753966

Binary files /dev/null and b/test/fuzz/fuzz-dhcp6-client/crash-13578 differ
author	Yu Watanabe <watanabe.yu+github@gmail.com>
	Tue, 17 Sep 2019 13:18:49 +0000 (22:18 +0900)
committer	Frantisek Sumsal <frantisek@sumsal.cz>
	Tue, 17 Sep 2019 18:29:20 +0000 (18:29 +0000)
src/libsystemd-network/sd-dhcp6-client.c		patch \| blob \| blame \| history
test/fuzz/fuzz-dhcp6-client/crash-13578	[new file with mode: 0644]	patch \| blob