From 4ed95fafad06473da7b3275461dd439e2af7d191 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 2 Oct 2023 10:28:55 +0900
Subject: [PATCH] network: set maximum length to be read by
 read_full_file_full()

Fixes #29264 and oss-fuzz#62556
(https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62556).
---
 src/network/netdev/macsec.c                 |  10 +++++++---
 src/network/netdev/wireguard.c              |   8 ++++++--
 test/fuzz/fuzz-netdev-parser/oss-fuzz-62556 | Bin 0 -> 27849 bytes
 3 files changed, 13 insertions(+), 5 deletions(-)
 create mode 100644 test/fuzz/fuzz-netdev-parser/oss-fuzz-62556

diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
index 6d17d45059a..98927b168da 100644
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@@ -959,15 +959,19 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
                 return 0;
 
         r = read_full_file_full(
-                        AT_FDCWD, sa->key_file, UINT64_MAX, SIZE_MAX,
-                        READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
+                        AT_FDCWD, sa->key_file, UINT64_MAX, MACSEC_KEYID_LEN,
+                        READ_FULL_FILE_SECURE |
+                        READ_FULL_FILE_UNHEX |
+                        READ_FULL_FILE_WARN_WORLD_READABLE |
+                        READ_FULL_FILE_CONNECT_SOCKET |
+                        READ_FULL_FILE_FAIL_WHEN_LARGER,
                         NULL, (char **) &key, &key_len);
         if (r < 0)
                 return log_netdev_error_errno(netdev, r,
                                               "Failed to read key from '%s', ignoring: %m",
                                               sa->key_file);
 
-        if (key_len != 16)
+        if (key_len != MACSEC_KEYID_LEN)
                 return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
                                               "Invalid key length (%zu bytes), ignoring: %m", key_len);
 
diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c
index c89577609d4..4c7d837c412 100644
--- a/src/network/netdev/wireguard.c
+++ b/src/network/netdev/wireguard.c
@@ -1037,8 +1037,12 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_
         assert(dest);
 
         r = read_full_file_full(
-                        AT_FDCWD, filename, UINT64_MAX, SIZE_MAX,
-                        READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
+                        AT_FDCWD, filename, UINT64_MAX, WG_KEY_LEN,
+                        READ_FULL_FILE_SECURE |
+                        READ_FULL_FILE_UNBASE64 |
+                        READ_FULL_FILE_WARN_WORLD_READABLE |
+                        READ_FULL_FILE_CONNECT_SOCKET |
+                        READ_FULL_FILE_FAIL_WHEN_LARGER,
                         NULL, &key, &key_len);
         if (r < 0)
                 return r;
diff --git a/test/fuzz/fuzz-netdev-parser/oss-fuzz-62556 b/test/fuzz/fuzz-netdev-parser/oss-fuzz-62556
new file mode 100644
index 0000000000000000000000000000000000000000..e2418f9e5f83a01911d57895363d0840fcd2b4a2
GIT binary patch
literal 27849
zc-rmVF$%(93<gl=Ud9u25XD98;3^KKjqpRQL$%`QO$3kOvAlqe;-r(HZw!0{Ub1A%
zay}Y&Q7xj1)W@jnwpA*3Y1^){SsbUSiF{Z`KV0vdX0Q}~H~du6(fxt$c0OH<gN}}l
zj*gCwj*jkg-Q$+N+8-Sq9UUDV9UUDV9UUDV9UUDV9UUDV9UUDV9UUDV9UUDV9UUDV
z9UUDV9UUDV9UUDV9UUDV9o=i#yy)oY=;-L^=;-L^=;-L^=;-L^=;-L^=;-L^=;-L^
g=)R}(k?JSIMeHWgud<@tM1II-sjc%(Sv?xu0do?MumAu6

literal 0
Hc-jL100001

-- 
2.47.3