sd-network: avoid leaking DHCPLease

If we fail any allocation prior adding the lease to the server lease
hashmap.

==2103==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 128 byte(s) in 2 object(s) allocated from:
    #0 0x4a203e in __interceptor_calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3
    #1 0x4f6341 in calloc (/build/fuzz-dhcp-server+0x4f6341)
    #2 0x4ec818 in add_lease /work/build/../../src/systemd/src/libsystemd-network/fuzz-dhcp-server.c:26:9
    #3 0x4ec2bf in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/libsystemd-network/fuzz-dhcp-server.c:75:9
    #4 0x4f68a8 in NaloFuzzerTestOneInput (/build/fuzz-dhcp-server+0x4f68a8)
    #5 0x5158b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #6 0x51509a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
    #7 0x516769 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
    #8 0x517435 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
    #9 0x50679f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
    #10 0x507068 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10
    #11 0x4f6b25 in main (/build/fuzz-dhcp-server+0x4f6b25)
    #12 0x7f16084e3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)

DEDUP_TOKEN: __interceptor_calloc--calloc--add_lease
SUMMARY: AddressSanitizer: 128 byte(s) leaked in 2 allocation(s).

Found by Nallocufzz.

diff --git a/src/libsystemd-network/dhcp-server-internal.h b/src/libsystemd-network/dhcp-server-internal.h
index 607f9f0c2fa0288a8d11ab353ade74c5f6f76771..466d4541c368a07a1574cff6b4b9ca707aedd9c8 100644 (file)
--- a/src/libsystemd-network/dhcp-server-internal.h
+++ b/src/libsystemd-network/dhcp-server-internal.h
@@ -115,6 +115,9 @@ int dhcp_server_send_packet(sd_dhcp_server *server,
 void client_id_hash_func(const DHCPClientId *p, struct siphash *state);
 int client_id_compare_func(const DHCPClientId *a, const DHCPClientId *b);
 
+DHCPLease *dhcp_lease_free(DHCPLease *lease);
+DEFINE_TRIVIAL_CLEANUP_FUNC(DHCPLease*, dhcp_lease_free);
+
 #define log_dhcp_server_errno(server, error, fmt, ...)          \
         log_interface_prefix_full_errno(                        \
                 "DHCPv4 server: ",                              \

diff --git a/src/libsystemd-network/fuzz-dhcp-server.c b/src/libsystemd-network/fuzz-dhcp-server.c
index b35f1ac6daa713ee2bd6d3a952e4a0bb9650a149..ad00654a91bfae19bf344f0659aa9be5acc81dc7 100644 (file)
--- a/src/libsystemd-network/fuzz-dhcp-server.c
+++ b/src/libsystemd-network/fuzz-dhcp-server.c
@@ -17,36 +17,59 @@ ssize_t sendmsg(int sockfd, const struct msghdr *msg, int flags) {
         return 0;
 }
 
-static void add_lease(sd_dhcp_server *server, const struct in_addr *server_address, uint8_t i) {
+static int add_lease(sd_dhcp_server *server, const struct in_addr *server_address, uint8_t i) {
+        _cleanup_(dhcp_lease_freep) DHCPLease *lease = NULL;
         static const uint8_t chaddr[] = {3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3};
-        DHCPLease *lease;
+        int r;
 
         assert(server);
 
-        assert_se(lease = new0(DHCPLease, 1));
+        lease = new0(DHCPLease, 1);
+        if (!lease)
+                return -ENOMEM;
+
+        lease->client_id.data = malloc(2);
+        if (!lease->client_id.data)
+                return -ENOMEM;
+
         lease->client_id.length = 2;
-        assert_se(lease->client_id.data = malloc(2));
         lease->client_id.data[0] = 2;
         lease->client_id.data[1] = i;
+
         lease->address = htobe32(UINT32_C(10) << 24 | i);
         lease->gateway = server_address->s_addr;
         lease->expiration = UINT64_MAX;
         lease->htype = ARPHRD_ETHER;
         lease->hlen = ETH_ALEN;
         memcpy(lease->chaddr, chaddr, ETH_ALEN);
-        assert_se(hashmap_ensure_put(&server->bound_leases_by_client_id, &dhcp_lease_hash_ops, &lease->client_id, lease) >= 0);
-        assert_se(hashmap_ensure_put(&server->bound_leases_by_address, NULL, UINT32_TO_PTR(lease->address), lease) >= 0);
-        lease->server = server;
+
+        lease->server = server; /* This must be set just before hashmap_put(). */
+
+        r = hashmap_ensure_put(&server->bound_leases_by_client_id, &dhcp_lease_hash_ops, &lease->client_id, lease);
+        if (r < 0)
+                return r;
+
+        r = hashmap_ensure_put(&server->bound_leases_by_address, NULL, UINT32_TO_PTR(lease->address), lease);
+        if (r < 0)
+                return r;
+
+        TAKE_PTR(lease);
+
+        return 0;
 }
 
-static void add_static_lease(sd_dhcp_server *server, uint8_t i) {
+static int add_static_lease(sd_dhcp_server *server, uint8_t i) {
         uint8_t id[2] = { 2, i };
+        int r;
 
         assert(server);
 
-        assert_se(sd_dhcp_server_set_static_lease(server,
-                                                  &(struct in_addr) { .s_addr = htobe32(UINT32_C(10) << 24 | i)},
-                                                  id, ELEMENTSOF(id)) >= 0);
+        r = sd_dhcp_server_set_static_lease(
+                                server,
+                                &(struct in_addr) { .s_addr = htobe32(UINT32_C(10) << 24 | i)},
+                                id, ELEMENTSOF(id));
+
+        return r;
 }
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
@@ -66,12 +89,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         assert_se(sd_dhcp_server_configure_pool(server, &address, 24, 0, 0) >= 0);
 
         /* add leases to the pool to expose additional code paths */
-        add_lease(server, &address, 2);
-        add_lease(server, &address, 3);
+        assert_se(add_lease(server, &address, 2) >= 0);
+        assert_se(add_lease(server, &address, 3) >= 0);
 
         /* add static leases */
-        add_static_lease(server, 3);
-        add_static_lease(server, 4);
+        assert_se(add_static_lease(server, 3) >= 0);
+        assert_se(add_static_lease(server, 4) >= 0);
 
         (void) dhcp_server_handle_message(server, (DHCPMessage*) duped, size);
 

diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
index 196867360f1f54ce50bdf0bea50fd28b2de59f21..14ac1cf66f18e918a58594129e0be49ceaa2f2f8 100644 (file)
--- a/src/libsystemd-network/sd-dhcp-server.c
+++ b/src/libsystemd-network/sd-dhcp-server.c
@@ -27,7 +27,7 @@
 #define DHCP_DEFAULT_LEASE_TIME_USEC USEC_PER_HOUR
 #define DHCP_MAX_LEASE_TIME_USEC (USEC_PER_HOUR*12)
 
-static DHCPLease *dhcp_lease_free(DHCPLease *lease) {
+DHCPLease *dhcp_lease_free(DHCPLease *lease) {
         if (!lease)
                 return NULL;
 
@@ -42,8 +42,6 @@ static DHCPLease *dhcp_lease_free(DHCPLease *lease) {
         return mfree(lease);
 }
 
-DEFINE_TRIVIAL_CLEANUP_FUNC(DHCPLease*, dhcp_lease_free);
-
 /* configures the server's address and subnet, and optionally the pool's size and offset into the subnet
  * the whole pool must fit into the subnet, and may not contain the first (any) nor last (broadcast) address
  * moreover, the server's own address may be in the pool, and is in that case reserved in order not to