From 6ffe71d0e22326f8ea5775c188ae0e13573cd123 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Tue, 17 Sep 2019 22:18:49 +0900 Subject: [PATCH] dhcp6: add missing option length check Closes #13578. --- src/libsystemd-network/sd-dhcp6-client.c | 7 +++++-- test/fuzz/fuzz-dhcp6-client/crash-13578 | Bin 0 -> 62 bytes 2 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 test/fuzz/fuzz-dhcp6-client/crash-13578 diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c index 7dab776b72..5a3b0a6353 100644 --- a/src/libsystemd-network/sd-dhcp6-client.c +++ b/src/libsystemd-network/sd-dhcp6-client.c @@ -29,8 +29,8 @@ #define MAX_MAC_ADDR_LEN INFINIBAND_ALEN -#define IRT_DEFAULT 1 * USEC_PER_DAY -#define IRT_MINIMUM 600 * USEC_PER_SEC +#define IRT_DEFAULT (1 * USEC_PER_DAY) +#define IRT_MINIMUM (600 * USEC_PER_SEC) /* what to request from the server, addresses (IA_NA) and/or prefixes (IA_PD) */ enum { @@ -1002,6 +1002,9 @@ static int client_parse_message( break; case SD_DHCP6_OPTION_INFORMATION_REFRESH_TIME: + if (optlen != 4) + return -EINVAL; + irt = be32toh(*(be32_t *) optval) * USEC_PER_SEC; break; } diff --git a/test/fuzz/fuzz-dhcp6-client/crash-13578 b/test/fuzz/fuzz-dhcp6-client/crash-13578 new file mode 100644 index 0000000000000000000000000000000000000000..0753966ea4bdcdae2f6576276b735be8aec76a57 GIT binary patch literal 62 hcmZQ)Vqjp9XAqe89}Il{C$a+tAV3nvz(y;81Oct?2)zIR literal 0 HcmV?d00001 -- 2.25.1