From 6ffe71d0e22326f8ea5775c188ae0e13573cd123 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 17 Sep 2019 22:18:49 +0900
Subject: dhcp6: add missing option length check

Closes #13578.
---
 src/libsystemd-network/sd-dhcp6-client.c |   7 +++++--
 test/fuzz/fuzz-dhcp6-client/crash-13578  | Bin 0 -> 62 bytes
 2 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 test/fuzz/fuzz-dhcp6-client/crash-13578

diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c
index 7dab776b72..5a3b0a6353 100644
--- a/src/libsystemd-network/sd-dhcp6-client.c
+++ b/src/libsystemd-network/sd-dhcp6-client.c
@@ -29,8 +29,8 @@
 
 #define MAX_MAC_ADDR_LEN INFINIBAND_ALEN
 
-#define IRT_DEFAULT 1 * USEC_PER_DAY
-#define IRT_MINIMUM 600 * USEC_PER_SEC
+#define IRT_DEFAULT (1 * USEC_PER_DAY)
+#define IRT_MINIMUM (600 * USEC_PER_SEC)
 
 /* what to request from the server, addresses (IA_NA) and/or prefixes (IA_PD) */
 enum {
@@ -1002,6 +1002,9 @@ static int client_parse_message(
                         break;
 
                 case SD_DHCP6_OPTION_INFORMATION_REFRESH_TIME:
+                        if (optlen != 4)
+                                return -EINVAL;
+
                         irt = be32toh(*(be32_t *) optval) * USEC_PER_SEC;
                         break;
                 }
diff --git a/test/fuzz/fuzz-dhcp6-client/crash-13578 b/test/fuzz/fuzz-dhcp6-client/crash-13578
new file mode 100644
index 0000000000..0753966ea4
Binary files /dev/null and b/test/fuzz/fuzz-dhcp6-client/crash-13578 differ
-- 
cgit v1.2.1