sd-network: avoid leaking DHCPLease

mrc0mmand · bluca · commit a0573a980c14 · 2023-07-10T22:01:38.000+01:00
If we fail any allocation prior adding the lease to the server lease hashmap. ==2103==ERROR: LeakSanitizer: detected memory leaks Direct leak of 128 byte(s) in 2 object(s) allocated from: #0 0x4a203e in __interceptor_calloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:77:3 #1 0x4f6341 in calloc (/build/fuzz-dhcp-server+0x4f6341) #2 0x4ec818 in add_lease /work/build/../../src/systemd/src/libsystemd-network/fuzz-dhcp-server.c:26:9 #3 0x4ec2bf in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/libsystemd-network/fuzz-dhcp-server.c:75:9 #4 0x4f68a8 in NaloFuzzerTestOneInput (/build/fuzz-dhcp-server+0x4f68a8) #5 0x5158b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #6 0x51509a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3 #7 0x516769 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19 #8 0x517435 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5 #9 0x50679f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6 #10 0x507068 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10 #11 0x4f6b25 in main (/build/fuzz-dhcp-server+0x4f6b25) #12 0x7f16084e3082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee) DEDUP_TOKEN: __interceptor_calloc--calloc--add_lease SUMMARY: AddressSanitizer: 128 byte(s) leaked in 2 allocation(s). Found by Nallocufzz. (cherry picked from commit aca607d) (cherry picked from commit 18e08a4) (cherry picked from commit aa0fb9c)
diff --git a/src/libsystemd-network/dhcp-server-internal.h b/src/libsystemd-network/dhcp-server-internal.h
@@ -115,6 +115,9 @@ int dhcp_server_send_packet(sd_dhcp_server *server,
 void client_id_hash_func(const DHCPClientId *p, struct siphash *state);
 int client_id_compare_func(const DHCPClientId *a, const DHCPClientId *b);
 
+DHCPLease *dhcp_lease_free(DHCPLease *lease);
+DEFINE_TRIVIAL_CLEANUP_FUNC(DHCPLease*, dhcp_lease_free);
+
 #define log_dhcp_server_errno(server, error, fmt, ...)          \
         log_interface_prefix_full_errno(                        \
                 "DHCPv4 server: ",                              \
diff --git a/src/libsystemd-network/fuzz-dhcp-server.c b/src/libsystemd-network/fuzz-dhcp-server.c
@@ -17,36 +17,59 @@ ssize_t sendmsg(int sockfd, const struct msghdr *msg, int flags) {
         return 0;
 }
 
-static void add_lease(sd_dhcp_server *server, const struct in_addr *server_address, uint8_t i) {
+static int add_lease(sd_dhcp_server *server, const struct in_addr *server_address, uint8_t i) {
+        _cleanup_(dhcp_lease_freep) DHCPLease *lease = NULL;
         static const uint8_t chaddr[] = {3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3};
-        DHCPLease *lease;
+        int r;
 
         assert(server);
 
-        assert_se(lease = new0(DHCPLease, 1));
+        lease = new0(DHCPLease, 1);
+        if (!lease)
+                return -ENOMEM;
+
+        lease->client_id.data = malloc(2);
+        if (!lease->client_id.data)
+                return -ENOMEM;
+
         lease->client_id.length = 2;
-        assert_se(lease->client_id.data = malloc(2));
         lease->client_id.data[0] = 2;
         lease->client_id.data[1] = i;
+
         lease->address = htobe32(UINT32_C(10) << 24 | i);
         lease->gateway = server_address->s_addr;
         lease->expiration = UINT64_MAX;
         lease->htype = ARPHRD_ETHER;
         lease->hlen = ETH_ALEN;
         memcpy(lease->chaddr, chaddr, ETH_ALEN);
-        assert_se(hashmap_ensure_put(&server->bound_leases_by_client_id, &dhcp_lease_hash_ops, &lease->client_id, lease) >= 0);
-        assert_se(hashmap_ensure_put(&server->bound_leases_by_address, NULL, UINT32_TO_PTR(lease->address), lease) >= 0);
-        lease->server = server;
+
+        lease->server = server; /* This must be set just before hashmap_put(). */
+
+        r = hashmap_ensure_put(&server->bound_leases_by_client_id, &dhcp_lease_hash_ops, &lease->client_id, lease);
+        if (r < 0)
+                return r;
+
+        r = hashmap_ensure_put(&server->bound_leases_by_address, NULL, UINT32_TO_PTR(lease->address), lease);
+        if (r < 0)
+                return r;
+
+        TAKE_PTR(lease);
+
+        return 0;
 }
 
-static void add_static_lease(sd_dhcp_server *server, uint8_t i) {
+static int add_static_lease(sd_dhcp_server *server, uint8_t i) {
         uint8_t id[2] = { 2, i };
+        int r;
 
         assert(server);
 
-        assert_se(sd_dhcp_server_set_static_lease(server,
-                                                  &(struct in_addr) { .s_addr = htobe32(UINT32_C(10) << 24 | i)},
-                                                  id, ELEMENTSOF(id)) >= 0);
+        r = sd_dhcp_server_set_static_lease(
+                                server,
+                                &(struct in_addr) { .s_addr = htobe32(UINT32_C(10) << 24 | i)},
+                                id, ELEMENTSOF(id));
+
+        return r;
 }
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
@@ -66,12 +89,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
         assert_se(sd_dhcp_server_configure_pool(server, &address, 24, 0, 0) >= 0);
 
         /* add leases to the pool to expose additional code paths */
-        add_lease(server, &address, 2);
-        add_lease(server, &address, 3);
+        assert_se(add_lease(server, &address, 2) >= 0);
+        assert_se(add_lease(server, &address, 3) >= 0);
 
         /* add static leases */
-        add_static_lease(server, 3);
-        add_static_lease(server, 4);
+        assert_se(add_static_lease(server, 3) >= 0);
+        assert_se(add_static_lease(server, 4) >= 0);
 
         (void) dhcp_server_handle_message(server, (DHCPMessage*) duped, size);
 
diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
@@ -27,7 +27,7 @@
 #define DHCP_DEFAULT_LEASE_TIME_USEC USEC_PER_HOUR
 #define DHCP_MAX_LEASE_TIME_USEC (USEC_PER_HOUR*12)
 
-static DHCPLease *dhcp_lease_free(DHCPLease *lease) {
+DHCPLease *dhcp_lease_free(DHCPLease *lease) {
         if (!lease)
                 return NULL;
 
@@ -42,8 +42,6 @@ static DHCPLease *dhcp_lease_free(DHCPLease *lease) {
         return mfree(lease);
 }
 
-DEFINE_TRIVIAL_CLEANUP_FUNC(DHCPLease*, dhcp_lease_free);
-
 /* configures the server's address and subnet, and optionally the pool's size and offset into the subnet
  * the whole pool must fit into the subnet, and may not contain the first (any) nor last (broadcast) address
  * moreover, the server's own address may be in the pool, and is in that case reserved in order not to
