From cc87b3f68f7c3b44be0c3fb1deee9d08bedc93d6 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 May 2021 15:38:33 +0200
Subject: [PATCH] core: fix crash in parsing of SocketBind{Allow,Deny}=

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33876.
---
 src/core/load-fragment.c                |  39 +++++++++++++++---------
 test/fuzz/fuzz-unit-file/oss-fuzz-33876 | Bin 0 -> 6164 bytes
 2 files changed, 25 insertions(+), 14 deletions(-)
 create mode 100644 test/fuzz/fuzz-unit-file/oss-fuzz-33876

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 4f506e51e87..cbc85d9695f 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -5670,11 +5670,11 @@ int config_parse_cgroup_socket_bind(
                 void *data,
                 void *userdata) {
         _cleanup_free_ CGroupSocketBindItem *item = NULL;
-        const char *address_family = NULL, *user_port;
+        const char *user_port;
         uint16_t nr_ports = 0, port_min = 0;
         CGroupSocketBindItem **head = data;
         _cleanup_free_ char *word = NULL;
-        int af = AF_UNSPEC, r;
+        int af, r;
 
         if (isempty(rvalue)) {
                 cgroup_context_remove_socket_bind(head);
@@ -5684,29 +5684,40 @@ int config_parse_cgroup_socket_bind(
         r = extract_first_word(&rvalue, &word, ":", 0);
         if (r == -ENOMEM)
                 return log_oom();
+        if (r <= 0) {
+                log_syntax(unit, LOG_WARNING, filename, line, r,
+                           "Unable to parse %s= assignment, ignoring: %s", lvalue, rvalue);
+                return 0;
+        }
 
-        if (rvalue)
-                address_family = word;
-
-        if (address_family) {
-                if (streq(address_family, "IPv4"))
+        if (rvalue) {
+                if (streq(word, "IPv4"))
                         af = AF_INET;
-                else if (streq(address_family, "IPv6"))
+                else if (streq(word, "IPv6"))
                         af = AF_INET6;
-                else
-                        return log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
-                                        "Only IPv4 or IPv6 protocols are supported, ignoring");
+                else {
+                        log_syntax(unit, LOG_WARNING, filename, line, 0,
+                                   "Only IPv4 and IPv6 protocols are supported, ignoring.");
+                        return 0;
+                }
+
+                user_port = rvalue;
+        } else {
+                af = AF_UNSPEC;
+                user_port = word;
         }
 
-        user_port = rvalue ?: word;
         if (!streq(user_port, "any")) {
                 uint16_t port_max;
 
                 r = parse_ip_port_range(user_port, &port_min, &port_max);
                 if (r == -ENOMEM)
                         return log_oom();
-                if (r < 0)
-                        return log_warning_errno(r, "Invalid port or port range, ignoring: %m");
+                if (r < 0) {
+                        log_syntax(unit, LOG_WARNING, filename, line, r,
+                                   "Invalid port or port range, ignoring: %m");
+                        return 0;
+                }
 
                 nr_ports = 1 + port_max - port_min;
         }
diff --git a/test/fuzz/fuzz-unit-file/oss-fuzz-33876 b/test/fuzz/fuzz-unit-file/oss-fuzz-33876
new file mode 100644
index 0000000000000000000000000000000000000000..00b38581f8ce44853c95492886c3b7e7fe64bdb8
GIT binary patch
literal 6164
zc-rk)-A=+V6y|zQLA*7Xaz()GVjDz>{1_%N#u?LW1*&BuT_=)w<6C&?JNg24j7>I%
z0s?|`7u)%1PtVt$bK1^D^a-0ty43^XPHG{SLDw)00KhW<S!4WC#=2~ttD%(%9^OFG
z5z{ELkj*e8vf<_Or9|I}RxO-@bd_3|Q8dnEEszj-JOnbbib?Sz9)Nic{Dci`9h>=B
zZC)eX?J<s$LCU;=cG=c@&>^`lb-Y0)bAbt|GwKU0724JiTdXHbDsiSehb+Ymsjve*
z!s@6mOZCu#V<Fje?7+~J<?rR(IJbfN4jt8SAG3&Yh9Oyp&k>33kkp58FxE8q6cXsV
z93SDc%s<>w#8hls3L(CkFF_gEBRMbe8BjVMY-2W(=P{LXtD;>ss!C12FIRoK*}D0m
z&n&Y<W04agCpMcCBCbSS?N6;;OVy2}X^!lx-#f5bO);GHMMsj$qa@y{tz2rU{TD-}
zwJPOG<7y#PqbTK6$KyF{cf;U4|AVlPe2M3EtSC_A+goUuhhGenT6@w<#z`>?PKp6`
z#Wa_k$CoWWu{Dd<ExBeK)P}IGCuTn0U*9Ier^JG;?$3&Wniz0hTlcpaEB5t+ze631
iJCr!<ZaF8!$>X3;9tZYYX_b?@s5!g3510PQ&&*G|zz9tM

literal 0
Hc-jL100001

-- 
2.47.3