From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Wed, 5 May 2021 13:38:33 +0000 (+0200)
Subject: core: fix crash in parsing of SocketBind{Allow,Deny}=
X-Git-Tag: v249-rc1~293^2~8
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cc87b3f68f7c3b44be0c3fb1deee9d08bedc93d6;p=thirdparty%2Fsystemd.git

core: fix crash in parsing of SocketBind{Allow,Deny}=

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33876.
---

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 4f506e51e87..cbc85d9695f 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -5670,11 +5670,11 @@ int config_parse_cgroup_socket_bind(
                 void *data,
                 void *userdata) {
         _cleanup_free_ CGroupSocketBindItem *item = NULL;
-        const char *address_family = NULL, *user_port;
+        const char *user_port;
         uint16_t nr_ports = 0, port_min = 0;
         CGroupSocketBindItem **head = data;
         _cleanup_free_ char *word = NULL;
-        int af = AF_UNSPEC, r;
+        int af, r;
 
         if (isempty(rvalue)) {
                 cgroup_context_remove_socket_bind(head);
@@ -5684,29 +5684,40 @@ int config_parse_cgroup_socket_bind(
         r = extract_first_word(&rvalue, &word, ":", 0);
         if (r == -ENOMEM)
                 return log_oom();
+        if (r <= 0) {
+                log_syntax(unit, LOG_WARNING, filename, line, r,
+                           "Unable to parse %s= assignment, ignoring: %s", lvalue, rvalue);
+                return 0;
+        }
 
-        if (rvalue)
-                address_family = word;
-
-        if (address_family) {
-                if (streq(address_family, "IPv4"))
+        if (rvalue) {
+                if (streq(word, "IPv4"))
                         af = AF_INET;
-                else if (streq(address_family, "IPv6"))
+                else if (streq(word, "IPv6"))
                         af = AF_INET6;
-                else
-                        return log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
-                                        "Only IPv4 or IPv6 protocols are supported, ignoring");
+                else {
+                        log_syntax(unit, LOG_WARNING, filename, line, 0,
+                                   "Only IPv4 and IPv6 protocols are supported, ignoring.");
+                        return 0;
+                }
+
+                user_port = rvalue;
+        } else {
+                af = AF_UNSPEC;
+                user_port = word;
         }
 
-        user_port = rvalue ?: word;
         if (!streq(user_port, "any")) {
                 uint16_t port_max;
 
                 r = parse_ip_port_range(user_port, &port_min, &port_max);
                 if (r == -ENOMEM)
                         return log_oom();
-                if (r < 0)
-                        return log_warning_errno(r, "Invalid port or port range, ignoring: %m");
+                if (r < 0) {
+                        log_syntax(unit, LOG_WARNING, filename, line, r,
+                                   "Invalid port or port range, ignoring: %m");
+                        return 0;
+                }
 
                 nr_ports = 1 + port_max - port_min;
         }
diff --git a/test/fuzz/fuzz-unit-file/oss-fuzz-33876 b/test/fuzz/fuzz-unit-file/oss-fuzz-33876
new file mode 100644
index 00000000000..00b38581f8c
Binary files /dev/null and b/test/fuzz/fuzz-unit-file/oss-fuzz-33876 differ