From: Zbigniew Jędrzejewski-Szmek Date: Wed, 27 Feb 2019 13:45:29 +0000 (+0100) Subject: networkd: refuse more than 128 NTP servers X-Git-Tag: v242-rc1~233^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c448459d5635e8ce7b7c0017df8d3bdc8e20c62e;p=thirdparty%2Fsystemd.git networkd: refuse more than 128 NTP servers This test case is a bit silly, but it shows that our code is unprepared to handle so many network servers, with quadratic complexity in various places. I don't think there are any valid reasons to have hundres of NTP servers configured, so let's just emit a warning and cut the list short. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13354 --- diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c index 2d42f0d742e..98cc8a263a8 100644 --- a/src/network/networkd-network.c +++ b/src/network/networkd-network.c @@ -23,6 +23,9 @@ #include "strv.h" #include "util.h" +/* Let's assume that anything above this number is a user misconfiguration. */ +#define MAX_NTP_SERVERS 128 + static void network_config_hash_func(const NetworkConfigSection *c, struct siphash *state) { siphash24_compress(c->filename, strlen(c->filename), state); siphash24_compress(&c->line, sizeof(c->line), state); @@ -1462,11 +1465,16 @@ int config_parse_ntp( continue; } - r = strv_push(l, w); + if (strv_length(*l) > MAX_NTP_SERVERS) { + log_syntax(unit, LOG_WARNING, filename, line, 0, + "More than %u NTP servers specified, ignoring \"%s\" and any subsequent entries.", + MAX_NTP_SERVERS, w); + break; + } + + r = strv_consume(l, TAKE_PTR(w)); if (r < 0) return log_oom(); - - w = NULL; } return 0; diff --git a/test/fuzz/fuzz-network-parser/oss-fuzz-13354 b/test/fuzz/fuzz-network-parser/oss-fuzz-13354 new file mode 100644 index 00000000000..2274fa5bd97 Binary files /dev/null and b/test/fuzz/fuzz-network-parser/oss-fuzz-13354 differ