From 4ed95fafad06473da7b3275461dd439e2af7d191 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 2 Oct 2023 10:28:55 +0900 Subject: [PATCH] network: set maximum length to be read by read_full_file_full() Fixes #29264 and oss-fuzz#62556 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62556). --- src/network/netdev/macsec.c | 10 +++++++--- src/network/netdev/wireguard.c | 8 ++++++-- test/fuzz/fuzz-netdev-parser/oss-fuzz-62556 | Bin 0 -> 27849 bytes 3 files changed, 13 insertions(+), 5 deletions(-) create mode 100644 test/fuzz/fuzz-netdev-parser/oss-fuzz-62556 diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c index 6d17d45059..98927b168d 100644 --- a/src/network/netdev/macsec.c +++ b/src/network/netdev/macsec.c @@ -959,15 +959,19 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) { return 0; r = read_full_file_full( - AT_FDCWD, sa->key_file, UINT64_MAX, SIZE_MAX, - READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET, + AT_FDCWD, sa->key_file, UINT64_MAX, MACSEC_KEYID_LEN, + READ_FULL_FILE_SECURE | + READ_FULL_FILE_UNHEX | + READ_FULL_FILE_WARN_WORLD_READABLE | + READ_FULL_FILE_CONNECT_SOCKET | + READ_FULL_FILE_FAIL_WHEN_LARGER, NULL, (char **) &key, &key_len); if (r < 0) return log_netdev_error_errno(netdev, r, "Failed to read key from '%s', ignoring: %m", sa->key_file); - if (key_len != 16) + if (key_len != MACSEC_KEYID_LEN) return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), "Invalid key length (%zu bytes), ignoring: %m", key_len); diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c index c89577609d..4c7d837c41 100644 --- a/src/network/netdev/wireguard.c +++ b/src/network/netdev/wireguard.c @@ -1037,8 +1037,12 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_ assert(dest); r = read_full_file_full( - AT_FDCWD, filename, UINT64_MAX, SIZE_MAX, - READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET, + AT_FDCWD, filename, UINT64_MAX, WG_KEY_LEN, + READ_FULL_FILE_SECURE | + READ_FULL_FILE_UNBASE64 | + READ_FULL_FILE_WARN_WORLD_READABLE | + READ_FULL_FILE_CONNECT_SOCKET | + READ_FULL_FILE_FAIL_WHEN_LARGER, NULL, &key, &key_len); if (r < 0) return r; diff --git a/test/fuzz/fuzz-netdev-parser/oss-fuzz-62556 b/test/fuzz/fuzz-netdev-parser/oss-fuzz-62556 new file mode 100644 index 0000000000000000000000000000000000000000..e2418f9e5f83a01911d57895363d0840fcd2b4a2 GIT binary patch literal 27849 zcma#{b#yLHO%6&;PR%S!bu2EFgbj!?1wbf5aEz?gc&BG47X9=4c!bvtGN5TpmFgKEH7vk9D^e$MtwJ$QIXQXAga`nTs2xj4zV`YXxxpK zDoANyv{a!}uL&v4N6XCNTxNb=(71cZ^}I(@=V+~flmDQdLN8_sp! zXni-Rs*llpH>je6q^X$ExEqZ-q%<(v5*uxajkd%Hv>uW23jviR6~%)@@u=@cYXqb; zFj^yw)(E3D0)cWKDZdayU`i}DGiL)2%|N^XpKOioJYzp1XPk#6b}-` zqrMxh5s=crXpJyhBaGGv1j>1&{6awGASvWYa>l6dMr#D5G%#8tjMfOFH3ETh9x1;N zP)SlzJV+Fe`fjvFKuQCnHNt3(Fj^xJDCd##3jvjbq>v}c8Kb@%tr3vYz-WyyS|g0s z2n5P`r2IlaB}ql`AW=N(yU`i}DGiL)2%|N^(5w-L^f^dKIdHU&8QnKES_+Sr!b7tZ zrsJt}qh;o3%M~dNjFy?BW#(v^Nuc$JlwSy_93;aNBspW$ccV1|QW_Yo5k_l-(Hen3 zIggZI2&g2fC>|t=M}0S1BOs-L(Hdd2Mi{LT2$b_k`GtVWK~l(*