dhcp6: add missing option length check

Closes #13578.
author: Yu Watanabe <watanabe.yu+github@gmail.com> 2019-09-17 22:18:49 +0900
committer: Frantisek Sumsal <frantisek@sumsal.cz> 2019-09-17 18:29:20 +0000
commit: 6ffe71d0e22326f8ea5775c188ae0e13573cd123 (patch)
tree: c9cd15e6595f7abf5ff99c10a06ab6481a9304cd
parent: 59a224d7282e2605f1c6e45a588119263574267f (diff)
download: systemd-6ffe71d0e22326f8ea5775c188ae0e13573cd123.tar.gz
2 files changed, 5 insertions, 2 deletions
diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c
index 7dab776b72..5a3b0a6353 100644
--- a/src/libsystemd-network/sd-dhcp6-client.c
+++ b/src/libsystemd-network/sd-dhcp6-client.c
@@ -29,8 +29,8 @@
 
 #define MAX_MAC_ADDR_LEN INFINIBAND_ALEN
 
-#define IRT_DEFAULT 1 * USEC_PER_DAY
-#define IRT_MINIMUM 600 * USEC_PER_SEC
+#define IRT_DEFAULT (1 * USEC_PER_DAY)
+#define IRT_MINIMUM (600 * USEC_PER_SEC)
 
 /* what to request from the server, addresses (IA_NA) and/or prefixes (IA_PD) */
 enum {
@@ -1002,6 +1002,9 @@ static int client_parse_message(
                         break;
 
                 case SD_DHCP6_OPTION_INFORMATION_REFRESH_TIME:
+                        if (optlen != 4)
+                                return -EINVAL;
+
                         irt = be32toh(*(be32_t *) optval) * USEC_PER_SEC;
                         break;
                 }
diff --git a/test/fuzz/fuzz-dhcp6-client/crash-13578 b/test/fuzz/fuzz-dhcp6-client/crash-13578
new file mode 100644
index 0000000000..0753966ea4
--- /dev/null
+++ b/test/fuzz/fuzz-dhcp6-client/crash-13578
author	Yu Watanabe <watanabe.yu+github@gmail.com>	2019-09-17 22:18:49 +0900
committer	Frantisek Sumsal <frantisek@sumsal.cz>	2019-09-17 18:29:20 +0000
commit	6ffe71d0e22326f8ea5775c188ae0e13573cd123 (patch)
tree	c9cd15e6595f7abf5ff99c10a06ab6481a9304cd
parent	59a224d7282e2605f1c6e45a588119263574267f (diff)
download	systemd-6ffe71d0e22326f8ea5775c188ae0e13573cd123.tar.gz