From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 29 May 2020 07:56:09 +0000 (+0900)
Subject: network: fix double free in macsec_receive_channel_free()
X-Git-Tag: v246-rc1~227
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0e77fc66bceb9832da82a56a4c1040fe49f8d805;p=thirdparty%2Fsystemd.git

network: fix double free in macsec_receive_channel_free()

Fixes #15941.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22547
---

diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
index 3542f9652a3..8f7559e9ae7 100644
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@@ -102,7 +102,7 @@ static void macsec_receive_channel_free(ReceiveChannel *c) {
 
         if (c->macsec) {
                 if (c->sci.as_uint64 > 0)
-                        ordered_hashmap_remove(c->macsec->receive_channels, &c->sci.as_uint64);
+                        ordered_hashmap_remove_value(c->macsec->receive_channels, &c->sci.as_uint64, c);
 
                 if (c->section)
                         ordered_hashmap_remove(c->macsec->receive_channels_by_section, c->section);
diff --git a/test/fuzz/fuzz-netdev-parser/oss-fuzz-22547 b/test/fuzz/fuzz-netdev-parser/oss-fuzz-22547
new file mode 100644
index 00000000000..ca55a33ae95
--- /dev/null
+++ b/test/fuzz/fuzz-netdev-parser/oss-fuzz-22547
@@ -0,0 +1,10 @@
+[NetDev]
+Name=o
+Kind=macsec
+
+[MACsecReceiveChannel]
+MACAddress=12.0.4
+Port=913
+[MACsecReceiveChannel]
+MACAddress=12.0.4
+Port=913