1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

core/load-fragment: reject overly long paths early

No need to go through the specifier_printf() if the path is already too long in
the unexpanded form (since specifiers increase the length of the string in all
practical cases).

In the oss-fuzz test case, valgrind reports:
  total heap usage: 179,044 allocs, 179,044 frees, 72,687,755,703 bytes allocated
and the original config file is ~500kb. This isn't really a security issue,
since the config file has to be trusted any way, but just a matter of
preventing accidental resource exhaustion.

https://oss-fuzz.com/v2/issue/4651449704251392/6977

While at it, fix order of arguments in the neighbouring log_syntax() call.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2018-03-19 15:43:35 +01:00
parent e127f26b1a
commit e3c3d6761b
3 changed files with 16 additions and 4 deletions

View File

@ -226,11 +226,19 @@ int config_parse_unit_path_printf(
assert(rvalue);
assert(u);
/* Let's not bother with anything that is too long */
if (strlen(rvalue) >= PATH_MAX) {
log_syntax(unit, LOG_ERR, filename, line, 0,
"%s value too long%s.",
lvalue, fatal ? "" : ", ignoring");
return fatal ? -ENAMETOOLONG : 0;
}
r = unit_full_printf(u, rvalue, &k);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r,
"Failed to resolve unit specifiers on %s%s: %m",
fatal ? "" : ", ignoring", rvalue);
"Failed to resolve unit specifiers in \"%s\"%s: %m",
rvalue, fatal ? "" : ", ignoring");
return fatal ? -ENOEXEC : 0;
}

File diff suppressed because one or more lines are too long

View File

@ -32,10 +32,11 @@ fuzz_regression_tests = '''
fuzz-unit-file/oss-fuzz-6884
fuzz-unit-file/oss-fuzz-6885
fuzz-unit-file/oss-fuzz-6886
fuzz-unit-file/oss-fuzz-6917
fuzz-unit-file/oss-fuzz-6892
fuzz-unit-file/oss-fuzz-6908
fuzz-unit-file/oss-fuzz-6897
fuzz-unit-file/oss-fuzz-6897-evverx
fuzz-unit-file/oss-fuzz-6908
fuzz-unit-file/oss-fuzz-6917
fuzz-unit-file/oss-fuzz-6977
fuzz-unit-file/oss-fuzz-7004
'''.split()