From 4ed95fafad06473da7b3275461dd439e2af7d191 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 2 Oct 2023 10:28:55 +0900
Subject: [PATCH] network: set maximum length to be read by
 read_full_file_full()

Fixes #29264 and oss-fuzz#62556
(https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62556).
---
 src/network/netdev/macsec.c                 |  10 +++++++---
 src/network/netdev/wireguard.c              |   8 ++++++--
 test/fuzz/fuzz-netdev-parser/oss-fuzz-62556 | Bin 0 -> 27849 bytes
 3 files changed, 13 insertions(+), 5 deletions(-)
 create mode 100644 test/fuzz/fuzz-netdev-parser/oss-fuzz-62556

diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
index 6d17d45059a..98927b168da 100644
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@@ -959,15 +959,19 @@ static int macsec_read_key_file(NetDev *netdev, SecurityAssociation *sa) {
                 return 0;
 
         r = read_full_file_full(
-                        AT_FDCWD, sa->key_file, UINT64_MAX, SIZE_MAX,
-                        READ_FULL_FILE_SECURE | READ_FULL_FILE_UNHEX | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
+                        AT_FDCWD, sa->key_file, UINT64_MAX, MACSEC_KEYID_LEN,
+                        READ_FULL_FILE_SECURE |
+                        READ_FULL_FILE_UNHEX |
+                        READ_FULL_FILE_WARN_WORLD_READABLE |
+                        READ_FULL_FILE_CONNECT_SOCKET |
+                        READ_FULL_FILE_FAIL_WHEN_LARGER,
                         NULL, (char **) &key, &key_len);
         if (r < 0)
                 return log_netdev_error_errno(netdev, r,
                                               "Failed to read key from '%s', ignoring: %m",
                                               sa->key_file);
 
-        if (key_len != 16)
+        if (key_len != MACSEC_KEYID_LEN)
                 return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL),
                                               "Invalid key length (%zu bytes), ignoring: %m", key_len);
 
diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c
index c89577609d4..4c7d837c412 100644
--- a/src/network/netdev/wireguard.c
+++ b/src/network/netdev/wireguard.c
@@ -1037,8 +1037,12 @@ static int wireguard_read_key_file(const char *filename, uint8_t dest[static WG_
         assert(dest);
 
         r = read_full_file_full(
-                        AT_FDCWD, filename, UINT64_MAX, SIZE_MAX,
-                        READ_FULL_FILE_SECURE | READ_FULL_FILE_UNBASE64 | READ_FULL_FILE_WARN_WORLD_READABLE | READ_FULL_FILE_CONNECT_SOCKET,
+                        AT_FDCWD, filename, UINT64_MAX, WG_KEY_LEN,
+                        READ_FULL_FILE_SECURE |
+                        READ_FULL_FILE_UNBASE64 |
+                        READ_FULL_FILE_WARN_WORLD_READABLE |
+                        READ_FULL_FILE_CONNECT_SOCKET |
+                        READ_FULL_FILE_FAIL_WHEN_LARGER,
                         NULL, &key, &key_len);
         if (r < 0)
                 return r;
diff --git a/test/fuzz/fuzz-netdev-parser/oss-fuzz-62556 b/test/fuzz/fuzz-netdev-parser/oss-fuzz-62556
new file mode 100644
index 0000000000000000000000000000000000000000..e2418f9e5f83a01911d57895363d0840fcd2b4a2
GIT binary patch
literal 27849
zcmeI5J!->H5QJ0fGCqL{laR*5MOx!R$S)x9Pa#JkWo}}~F><V2ATFmHFT`RczJ7|g
z`)21`2`q13mXCdDUrSrMp)C9U)OO9eI~}*xs(e0o`%*7<Wmvqu@AnTI#J6@sIyu9>
zQQdS0<X(68d-?jFU|!s-9XVP-bquO_AQ9B%Q~>hUts==n#@&%B;sH`+q^Bn7Ihi@<
z%)IW>Ka+d%#+^_>JOCA-!auxL6i30lIWrI5rNReum+Cq~PyXB;cPAcT6Jrx&6EoYR
z%!^TmqBx0|>L7x603tvHh+uMF=EW$JgnZ~2R0k2n0}ufsKm?QXGA~9MisB?<s)GpP
z0f+z*AcDzxnHQr>67r#AP#r`N4?qNn01-^i%e)w6D2kJasSYBD2Ot7OfCwh%WnPRj
zNyvweL3I#8JOB|O0z@!5FY{uQp(suwraFiq9)JiCVVXpk^mmYC0$~iln<9lt;c2Gu
zh+m~6Gud3l17s$dNoJbuQRc-clf0e?9fRs1f_MNTKm>?ja$e@eC__=4L`-!MK|BBv
zAOb`%IWO~Klu1H9bPTG42;u>V01+U9$$6O<qYOoH5;4_51n~ew7@r7<dY&YdW^s&l
ZIX{(QTdkWzsXwY!cih#7roH}y*&lNfkFWp$

literal 0
HcmV?d00001