From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 28 Jan 2022 02:53:49 +0000 (+0900)
Subject: sd-dhcp-server: refuse too large packet to send
X-Git-Tag: v251-rc1~432
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=71df50a9734f7006bc1ac8be59ca81c797b39c35;p=thirdparty%2Fsystemd.git

sd-dhcp-server: refuse too large packet to send

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44134.
---

diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
index ec9202d02ee..1d27d28959b 100644
--- a/src/libsystemd-network/sd-dhcp-server.c
+++ b/src/libsystemd-network/sd-dhcp-server.c
@@ -319,6 +319,9 @@ static int dhcp_server_send_unicast_raw(
 
         memcpy(link.ll.sll_addr, chaddr, hlen);
 
+        if (len > UINT16_MAX)
+                return -EOVERFLOW;
+
         dhcp_packet_append_ip_headers(packet, server->address, DHCP_PORT_SERVER,
                                       packet->dhcp.yiaddr,
                                       DHCP_PORT_CLIENT, len, -1);
diff --git a/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 b/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824
new file mode 100644
index 00000000000..e902b6989b4
Binary files /dev/null and b/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 differ