From 4e88a46bfe1d8c1b833f3d05b259a54947ce6b17 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 4 May 2022 15:45:13 +0900
Subject: [PATCH] libsystemd-network: refuse too large raw_size

Closes #23258.
---
 src/libsystemd-network/lldp-neighbor.c | 3 +++
 src/libsystemd-network/ndisc-router.c  | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/src/libsystemd-network/lldp-neighbor.c b/src/libsystemd-network/lldp-neighbor.c
index b0560199899..f8394c4374a 100644
--- a/src/libsystemd-network/lldp-neighbor.c
+++ b/src/libsystemd-network/lldp-neighbor.c
@@ -116,6 +116,9 @@ sd_lldp_neighbor *lldp_neighbor_unlink(sd_lldp_neighbor *n) {
 sd_lldp_neighbor *lldp_neighbor_new(size_t raw_size) {
         sd_lldp_neighbor *n;
 
+        if (raw_size > SIZE_MAX - ALIGN(sizeof(sd_lldp_neighbor)))
+                return NULL;
+
         n = malloc0(ALIGN(sizeof(sd_lldp_neighbor)) + raw_size);
         if (!n)
                 return NULL;
diff --git a/src/libsystemd-network/ndisc-router.c b/src/libsystemd-network/ndisc-router.c
index 464b002c2f0..26615ac666e 100644
--- a/src/libsystemd-network/ndisc-router.c
+++ b/src/libsystemd-network/ndisc-router.c
@@ -21,6 +21,9 @@ DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(sd_ndisc_router, sd_ndisc_router, mfree);
 sd_ndisc_router *ndisc_router_new(size_t raw_size) {
         sd_ndisc_router *rt;
 
+        if (raw_size > SIZE_MAX - ALIGN(sizeof(sd_ndisc_router)))
+                return NULL;
+
         rt = malloc0(ALIGN(sizeof(sd_ndisc_router)) + raw_size);
         if (!rt)
                 return NULL;
-- 
2.47.3