]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a663f5e)
sd-dhcp-server: refuse too large packet to send
authorYu Watanabe <watanabe.yu+github@gmail.com>
Fri, 28 Jan 2022 02:53:49 +0000 (11:53 +0900)
committerLuca Boccassi <luca.boccassi@gmail.com>
Fri, 28 Jan 2022 10:22:53 +0000 (10:22 +0000)
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44134.

src/libsystemd-network/sd-dhcp-server.c patch | blob | blame | history
test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 [new file with mode: 0644] patch | blob

diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
index ec9202d02ee8c09e575599197b12efc8ef373151..1d27d28959b918399e8a71afb7ca3fa3246e7a6a 100644 (file)
--- a/src/libsystemd-network/sd-dhcp-server.c
+++ b/src/libsystemd-network/sd-dhcp-server.c
@@ -319,6 +319,9 @@ static int dhcp_server_send_unicast_raw(
 
         memcpy(link.ll.sll_addr, chaddr, hlen);
 
+        if (len > UINT16_MAX)
+                return -EOVERFLOW;
+
         dhcp_packet_append_ip_headers(packet, server->address, DHCP_PORT_SERVER,
                                       packet->dhcp.yiaddr,
                                       DHCP_PORT_CLIENT, len, -1);
diff --git a/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 b/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824
new file mode 100644 (file)
index 0000000..e902b69
Binary files /dev/null and b/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 differ
Unnamed repository; edit this file 'description' to name the repository.