git.ipfire.org Git - thirdparty/systemd.git/commit

author	Luca Boccassi <luca.boccassi@gmail.com>
	Mon, 18 May 2026 11:05:10 +0000 (12:05 +0100)
committer	Yu Watanabe <watanabe.yu+github@gmail.com>
	Mon, 18 May 2026 16:43:25 +0000 (01:43 +0900)
commit	6fa5ebc506fc75fa2398e10ad2506dedf70d44d6
tree	b625b4b349da53bbe7e2b1e8a20ade58c050e60a	tree \| snapshot
parent	cc9ab5af2d6175a15944393dd4f3864afccf9c09	commit \| diff

dhcp-client: reject messages larger than the maximum UDP payload

dhcp_message_verify_header() only enforced a lower bound on the input
length, so dhcp_message_parse() happily accepted arbitrarily large
buffers. Such inputs could never have been received via UDP and would
later fail in dhcp_message_build() with -E2BIG once the parsed options'
combined size exceeds UDP_PAYLOAD_MAX_SIZE, which the fuzzer surfaced as
an assertion failure.

Reject inputs above UDP_PAYLOAD_MAX_SIZE up front, so the parse stage
mirrors what the wire format can actually carry.

Follow-up for 8c18bb6547c2138f2f17b921ec06f2c1f7cd17cd

Fixes https://github.com/systemd/systemd/issues/42147

Co-developed-by: Claude Opus 4.7 <noreply@anthropic.com>

src/libsystemd-network/dhcp-message.c		diff \| blob \| blame \| history
test/fuzz/fuzz-dhcp-client/oversized-message	[new file with mode: 0644]	blob