From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Wed, 31 Mar 2021 08:54:28 +0000 (+0200)
Subject: confile: cap to last bit in set_config_net_ipv4_address()
X-Git-Tag: lxc-5.0.0~224^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3758%2Fhead;p=thirdparty%2Flxc.git

confile: cap to last bit in set_config_net_ipv4_address()

Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32708
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index fa9c79481..dbb7e3b01 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -781,22 +781,22 @@ static int set_config_net_ipv4_address(const char *key, const char *value,
 	}
 
 	/* No prefix specified, determine it from the network class. */
-	if (prefix) {
+	ret = 0;
+	if (prefix)
 		ret = lxc_safe_uint(prefix, &inetdev->prefix);
-		if (ret < 0)
-			return ret;
-	} else {
+	else
 		inetdev->prefix = config_ip_prefix(&inetdev->addr);
-	}
-	if (inetdev->prefix > 32)
+	if (ret || inetdev->prefix > 32)
 		return ret_errno(EINVAL);
 
-	/* If no broadcast address, let compute one from the
-	 * prefix and address.
-	 */
+	/* If no broadcast address, compute one from the prefix and address. */
 	if (!bcast) {
+		unsigned int shift = LAST_BIT_PER_TYPE(inetdev->prefix);
+
 		inetdev->bcast.s_addr = inetdev->addr.s_addr;
-		inetdev->bcast.s_addr |= htonl(INADDR_BROADCAST >> inetdev->prefix);
+		if (inetdev->prefix < shift)
+			shift = inetdev->prefix;
+		inetdev->bcast.s_addr |= htonl(INADDR_BROADCAST >> shift);
 	}
 
 	list->elem = inetdev;
diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 2873deb17..4c13f8335 100644
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -737,4 +737,8 @@ enum {
 #define __aligned_u64 __u64 __attribute__((aligned(8)))
 #endif
 
+#define BITS_PER_BYTE 8
+#define BITS_PER_TYPE(type) (sizeof(type) * 8)
+#define LAST_BIT_PER_TYPE(type) (BITS_PER_TYPE(type) - 1)
+
 #endif /* __LXC_MACRO_H */