diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c index 6d17d45059a..98927b168da 100644 --- a/src/network/netdev/macsec.c +++ b/src/network/netdev/macsec.c @@ -959,15 +959,19 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) { return 0; r = read_full_file_full( - AT_FDCWD, sa->key_file, UINT64_MAX, SIZE_MAX, - READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET, + AT_FDCWD, sa->key_file, UINT64_MAX, MACSEC_KEYID_LEN, + READ_FULL_FILE_SECURE | + READ_FULL_FILE_UNHEX | + READ_FULL_FILE_WARN_WORLD_READABLE | + READ_FULL_FILE_CONNECT_SOCKET | + READ_FULL_FILE_FAIL_WHEN_LARGER, NULL, (char **) &key, &key_len); if (r < 0) return log_netdev_error_errno(netdev, r, "Failed to read key from '%s', ignoring: %m", sa->key_file); - if (key_len != 16) + if (key_len != MACSEC_KEYID_LEN) return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), "Invalid key length (%zu bytes), ignoring: %m", key_len); diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c index c89577609d4..4c7d837c412 100644 --- a/src/network/netdev/wireguard.c +++ b/src/network/netdev/wireguard.c @@ -1037,8 +1037,12 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_ assert(dest); r = read_full_file_full( - AT_FDCWD, filename, UINT64_MAX, SIZE_MAX, - READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET, + AT_FDCWD, filename, UINT64_MAX, WG_KEY_LEN, + READ_FULL_FILE_SECURE | + READ_FULL_FILE_UNBASE64 | + READ_FULL_FILE_WARN_WORLD_READABLE | + READ_FULL_FILE_CONNECT_SOCKET | + READ_FULL_FILE_FAIL_WHEN_LARGER, NULL, &key, &key_len); if (r < 0) return r; diff --git a/test/fuzz/fuzz-netdev-parser/oss-fuzz-62556 b/test/fuzz/fuzz-netdev-parser/oss-fuzz-62556 new file mode 100644 index 00000000000..e2418f9e5f8 Binary files /dev/null and b/test/fuzz/fuzz-netdev-parser/oss-fuzz-62556 differ