From 71df50a9734f7006bc1ac8be59ca81c797b39c35 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 28 Jan 2022 11:53:49 +0900
Subject: [PATCH] sd-dhcp-server: refuse too large packet to send

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44134.
---
 src/libsystemd-network/sd-dhcp-server.c         |   3 +++
 ...z-dhcp-server-relay-message-4972399731277824 | Bin 0 -> 65508 bytes
 2 files changed, 3 insertions(+)
 create mode 100644 test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824

diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
index ec9202d02ee..1d27d28959b 100644
--- a/src/libsystemd-network/sd-dhcp-server.c
+++ b/src/libsystemd-network/sd-dhcp-server.c
@@ -319,6 +319,9 @@ static int dhcp_server_send_unicast_raw(
 
         memcpy(link.ll.sll_addr, chaddr, hlen);
 
+        if (len > UINT16_MAX)
+                return -EOVERFLOW;
+
         dhcp_packet_append_ip_headers(packet, server->address, DHCP_PORT_SERVER,
                                       packet->dhcp.yiaddr,
                                       DHCP_PORT_CLIENT, len, -1);
diff --git a/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 b/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824
new file mode 100644
index 0000000000000000000000000000000000000000..e902b6989b419428fa0114c973b148fbe583c871
GIT binary patch
literal 65508
zc-rmU-D{gw9KiAO<Ovb8yWp6@U}w7+MO;amcY5Kn8?QF-PF4rcjTaA;2_5cI5avbk
zW?KY7%Fr8G|AoOAtSC;HQcwh0=>{UG;5Gu5QJ3R+%kw;`S!ugaJNiAPX`bYH&fD*E
zPLh&ya;gvraZ`w#aOr0ygi=9Kh(JFfVwXO<60a$x^gVt1&tZ|Io|HLhe~+4*Qy&ek
zJM?aMZho;JMdmD-S4sv!!Q7wqSI+pqI>VJS=i65wT)22H%qeq@t&YwmG}TeMLPOQL
zK0nu$LjUA-!S;^*sRuG2x}=Xp`b=KVj6N+Kly8bKfAwjnMZam9r5oxS8|y-@$<kKR
z*H0dO@c!pFo|MLrq|_CZHn|Q~cU=cB%UjETxZbVx??h{lm%3+X)$^tWo!(opNo<yE
z5I+>+Q*-dGd+gTo?eU~c^j&B)#tqR=G?|b}`9;UZCrut>>d|%APf8AD({q>0PI~1*
zFCarJ(?99Mf4*w0`0gn9r#qQbvw7TC19#;>CI$EtA7)Vs-Sp$8>A_$e>Oulv=b{~#
zNmm3q7a@F3YbuFMXGFjZ^78uex1-+W%hSr5UkW#i@WN0MtC^NfZUK@R`ag)A`lMiU
z3d8Lvd{)GEn4T}t?%_<JFD>RLOpRXjK<~T<p#EY}HyOem?#%2^hdR`u4t1zQ9qLer
zI@F;Kb*Muf>QIL|)S(V_s6!p<P>1?%Q*SoQ)mo!kD^Hax)oP<vuQw{SYP;SjGX@v~
zO!rWSI@F;K^*u;^s@?!Q*!Kta6SY>QTCYsC+Rb{aQEt{+<qG=I&%2t9f%Z!}Rx|61
zbcrWyyL-=CUlbqPu%zS2x?j(sPQ9YDcw}q+X7MGV^r84Yj^8@z@|Ygv@$^5-Lhe1y
ztO@B%9{klUQ2IMERZEtXyrDbNv{vVTPaof374l`%tlO>=)We(<zuCn_C$lLniLuSt
z<`WClp$>JZLmlc+hdR`u4t1zQ9qLerI@F;))*dL@I71!k%<52wI@F;Kb*Muf>QIL|
z)b|&4Mkphc5ejvvLmlc+hdR`u4t1zQ9qLerI@F;Kb*Muf>QMiGs8^s4^$k6+?{*9r
zF6w*N(IVTwP-j->4Gh$w4t1zQ9qLerI@F;Kb*Muf>QIL|)S(V_s6!p<P=`9yp$>JZ
zLmlc+hx-1cep9?|YV0~e*VRSEUv8QZA97!7iXxl0`C5~%p}9ZnFPrgyb>1sy&bO~V
zxNz}Y=)b0=`@!TA`hG}5ZoZ>+eSWT+sZ6F5^Px-nNTko?<;>{Q!a?~qp04qyMZc*J
zdU2e53C!{+Z6`4iFcI*Y2X&}J9qLerI@F=QJAp2ZAxWt}93-nK^sl-rGoiDeY-;^G
z(c0ss?%CPRtT5~tcD%yug!(SDev5iiv<wS|#hwVX8e`Ixk)~6XRAxvl4iCp~%+1P|
z-+la5>BnD&|KZjS2DiqNDr{Ox7#=gpchQ0Mza|chNYnP#EQGXS5koBBQ5hj_#<39|
zgkIQ7jKX;GwGk004$*Mp#6*7ak|rkW{V0g`)Qd2)6SEVu6SGq?J0YKch%m`R9qLer
zI@F;Kb*KxrB7-_xk+BsS)S1<J0|RxaLmlc+hdR`u4t1zQ9qLerI@F;Kb*Muf>QIL|
z)S(V_s6!p<P=`9yq0UxhY(>UIz(l}n9@L=@b*Muf>QIOJ_5;mUWDGlo9j`EK_`}d(
Y!yh*M+3tov%udWs%udWsdvkXB7o3LT=Kufz

literal 0
Hc-jL100001

-- 
2.47.3