From 71df50a9734f7006bc1ac8be59ca81c797b39c35 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 28 Jan 2022 11:53:49 +0900
Subject: [PATCH] sd-dhcp-server: refuse too large packet to send

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44134.
---
 src/libsystemd-network/sd-dhcp-server.c         |   3 +++
 ...z-dhcp-server-relay-message-4972399731277824 | Bin 0 -> 65508 bytes
 2 files changed, 3 insertions(+)
 create mode 100644 test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824

diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
index ec9202d02e..1d27d28959 100644
--- a/src/libsystemd-network/sd-dhcp-server.c
+++ b/src/libsystemd-network/sd-dhcp-server.c
@@ -319,6 +319,9 @@ static int dhcp_server_send_unicast_raw(
 
         memcpy(link.ll.sll_addr, chaddr, hlen);
 
+        if (len > UINT16_MAX)
+                return -EOVERFLOW;
+
         dhcp_packet_append_ip_headers(packet, server->address, DHCP_PORT_SERVER,
                                       packet->dhcp.yiaddr,
                                       DHCP_PORT_CLIENT, len, -1);
diff --git a/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 b/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824
new file mode 100644
index 0000000000000000000000000000000000000000..e902b6989b419428fa0114c973b148fbe583c871
GIT binary patch
literal 65508
zcmZSj&&J5Wu$O^>i2(wx|7T$M|DTbIfq{{cfq@|t0;W&Q{Qm#{|IEzH|NsC0k%1@$
zk)IV5m=wTR5yWt6gy|EHnOxMl@?Sy%NR<N1|Njb%jBFrw4v1i2V2Fm&|NsBL>z8La
z>0xnMEHl%8kQ%Ua7#SFt85pkr|NozX0mV5hI*TSNFeor6uqY@ffEgeTgDIl|3o`^T
zC@?S}WLOlU5gcS?%wQM%2LT3<r~fM`F!(b3GiP96_?(#u^K7Pqg2FrnA!5MMpC3x|
zXYKk)j9Nl!6cm`5nL!=|2d)B>!vC|70KTZO|Kcl1=$iaHnehGN;mJ`sAU{xq=ggTi
zCly4@nF9_LTm(20>lhfOfE1hn5ey9bFCL-}K#F~^$^WnaXF!X6kT^IsfudAFVS(cx
zQ2ao`2}D8@Ba?yxG(AFs>*{|6ltlCyqFuoeqz8gU8UFtVr2ue>f+Q`Z5CtbOaEf~^
z0ZJ<%cQ7z8utAkLLTL~MG8&{DWX6O4VB;7R7z`K{;1+;X{r~^}JxCQ8n=&deurV;G
zff7C_*D*j7J|i^YbAkAXpkP!`U|;}i{Qv*|_x}*LFfy_^LRcsyD3KfdRtrq{JYj<M
ze`XN(Fo-}=gv@~?0vO3~AL>{Tr3WGiU<QUv@$(E!|GU{3KxQyA6Ht#L&7`2<)QBa<
zkljZDJ2Nwrf`|sk7c_9e5#6$qMFUhW!kj!*BU*vjq>d2+AfJyWbx<gP@ZeACpt6MQ
z$R17ZphzA~?x0Wr;lZEWN0U0)ApnZt(WDLv1rQ!h>Vv+uI@*YVHiSW~Yy=){uS0?b
z)G-@vz<|oK(NY~03LrdMs*jfHgFXZx#TR(&WVBQVjm&{Y%|=IIkV61emW`I`pilte
z(NcZTmuaJI_0dutoK?Y-A)t8?jFIKhwmK+)MoV>2D1h*2sXkh&5Bd-oE!DwUb+lB+
z9Ri>L8ZFg9p#Z|8r8>Sc&D`9;*u>1(#K6eF(Ae0_!qn8v(8So%)C{zCWWbk)j5gv&
zi+gY$#$DKrHsV16G+Nw)LIH$Fi+g;<{h(O%H(IKXmg?ZFN@=NXWNJ2=*av+Gj3#!f
zBz9dB3qxa5Ln8}Ib5jd519KA#1H(Zd_oGGqXzHg*>IZd4VS6P&2IAYw0Nv7YA8CKl
z|NjiS;C&6BaqTb4R02)>!Z4G9g8Xmjevbc6A`A@IKY%v{*>kZo{1;(hV0f9C>F$u3
z3EHD%4cnvi7h_w<oxe~sKsyW^^+caQHYj~d067i5r9?+T!4Wh;@t=X=j)DTigZm5$
zoS>@l5M;a2|MyG^49~!uiyV*v%&p*!8IVm&bltl#nzu*uHYh8CHwA&WDUHssVT1rE
zfJQs#pilte(a!m3i*3+{z-Xxs&Z?jm$Y`mKJp@1jG+L^ILIH$FOZ7otrj54MM@w~Z
zRvj(XafbjXfJRGoP$+=#XsJG0st@`Q7%kPoSrvDgHo80l6hO2o)w#f@RWUL$j2@K(
z&4;8>qetan4X@F*Iy6`idl5mb(Ou?{U>V(I4hjL<mFf(1okWAg>FCy5&?FLQ4isYo
zWwZe^n$$rd0K=o*(m~%T8*RXhmg=DF3M$hfOISurb&L=I1rTkzr32Q089jJ*^x)Y+
zcf#;!Wi(nDfy&y^$_P&gfC6ZkRYss8BM2THID(V_pkb5I-t=fv2ZaC(kM^cVd((qH
z1R%xN=ol%e0v{bC#To*j@@%vL0}2HY9xc@eeVI1eEgdb@!C7^5=??A?00q!!sSXMS
z5FRbnM@#iV9|D8FR5ye=kyvVUl^WKN8deRM5qDw$=vq(2;RNR(Co4d%cLY_(ri_Tg
z1;~%+(ZNPgwLRK^0fhnxk2YWief3R#W(P&^Xi^7-0tk;L_0gn0=tBV7u7k{y!pPCt
zQb@3j&X$5g092NZmg=BT0O8S6ebAR_qYW5H@ijVIIyzg5GXy|o*=VT_3Iz}zE!9U$
z^+6v3qoq1HtAYk6u^-7bI@kybpwUtt6bc|bTB;BFGHtZ2K3b}Sv+8K6jynWE0W?~w
zgF*p>M@#k5Qhm^ez-Xxs&Z@Y}w9&RYD1b&wbx<gP@Mx(%=*u*c+Uk25v>4c+r6Ak&
z|Nj*jKzFbF|E~Zl5*R@@u!uu0LP<yfsRCbw!pI2LkpmK7U|@)b(*OVezw4K0Iq6|>
zSu8VjnHB>B69Xdy12Y5U(i5=Z;G_65Gcz++bQVnpSpyv<05cgB7)%)zSePMzL4g5$
znF?rl6m&dAG}u`Xg-FVn!7czL&;JYz43HI4z6}4&85kHoXJ-D-%*_1%|NkGzl`lf1
zfd3%#K!%S_uz^Dti5M*ihF3u_n$(dJH!5>9sgEZ0K_3F3T8e>TbS@dxRKU9LbhIY}
zD%D1NGN4cZ;n7lkaF=PMw9|2^RZw7NW`^vKU{X*}U{d&h7POrLbj9QTi?1L(8<T%0
z6TW{uJUJ={lq#@e1_lO_dR3#1DeU10zL+yp{5%8G|86#LUBx_l4%;w4hYeI2)A+bS
zoQVxp0=8~?4rqwrJG5)h$jIghZ95@Tpdkf=-)eygpC?SP{?82J9tIJ}YEam4!@-Qv
zrP+|c0gamsmxdR_N8nNm9LHdS!iYvqpp^0E%wbRf4W<28_|Ks5|NlyeX|M+0F%b9e
z!c(owgs$8I<w?jW8i=%HgpvRM|7ZFSiZhU6?3kHZ2?U^df&2G64Q?#J8Y~97I{7~X
zD5G744lIJl{vyC8LxU4cfd~CSEq74P{LcW^0@}=*sV51RM<uvWN=yX>(1EQC8Z0YY
z82|rQF#VUnm;e?UER`_Ww}c6Basm;cFc>YJP@^1)2TB*9VPFLX1xHBJ4n&HALJcGg
zN=1<5jTGb{LD2XyB(0z%jM35wDV+YJc8ZW?C}oe9PVmwRDKV4898LLHgKM;B1`QTa
z<$=HywoK-X_RRjHv@;kLKog~Edl?v*K=Yyu&?!y2UO_XO)JKy#s3IN#?U~V}KAO}=
zlRAMA07=6-_#ifN2Z+XFZlM0w2<oMd9z_N!jwl{19ag0}bdB46&@dM$bRcWobU_Q~
z7(auS&Vd%WWoAyFnECzxfA}giCD3pM3^OSx$p2PQPz23N{dW>!V7UGPJV#>B#m?|w
zgn@zKWoD+k1H=q#m>GW|E7_3DK%5WOcu~PoPxJ|7&EB^Jkki0x_CO_rj)H<CXlUd=
z1H&B!1%?Or85B4{BY%e=LnHs+Gbu1U1FyGpKn5^-z!PW+2&+bqBEvf`Fsza~IC(<|
z(8%xT%*g22BP2C|$<d?^4u;XySD@MiGzEn@|1w;L*+-N5Xi^9Dv_?l@@Pq&;fJVEe
zpilr|)H$`$adl9byoaP7$Zns}arJ=@fzeVOlq?~s64XZqttlCn>jXv{Fr!I*G^rB^
z0g&`)0|pcdAUxWD8QeQ1Mt3Jbi}ca`Z=($uJRtxo%SKCeP$+=#XsJG0st@`QfEMhC
zRgECl=*mV&uz)sdjE<{=%CgZ?9TW;6JX)#``Z8^F1O`%kQFkZZ=(sv4`w!)D_0glq
za2;a+5=R+~21WH~od*g95FV}bM(eym9|EIw9yqIxt`Nc<0-yjIE!9Dx0K%iC`k*h<
zMtd@&r8+pP;x5yM#rPDc{Y@zzJ&NrA{}Hrb3|cS{O^u%IfHkOwWDNr<5{bZ|sSGe4
zVOuG&Ml>G5(X4?daHu<oN<^w9TFK~vKkx&8Ft@{iLUDk)dLXNbz~GVzM2wbB__80v
bXz7G6ct8mVfhnB0CnD7ntz@)xf|pJJoQC4(

literal 0
HcmV?d00001