network: fix double free in macsec_receive_channel_free()

Fixes #15941. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22547
2020-05-29 16:56:09 +09:00 · 2020-05-29 16:56:09 +09:00 · 0e77fc66bc
parent b9d19abd38
commit 0e77fc66bc
2 changed files with 11 additions and 1 deletions
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@ -102,7 +102,7 @@ static void macsec_receive_channel_free(ReceiveChannel *c) {

        if (c->macsec) {
                if (c->sci.as_uint64 > 0)
-                        ordered_hashmap_remove(c->macsec->receive_channels, &c->sci.as_uint64);
+                        ordered_hashmap_remove_value(c->macsec->receive_channels, &c->sci.as_uint64, c);

                if (c->section)
                        ordered_hashmap_remove(c->macsec->receive_channels_by_section, c->section);
--- a/test/fuzz/fuzz-netdev-parser/oss-fuzz-22547
+++ b/test/fuzz/fuzz-netdev-parser/oss-fuzz-22547
@ -0,0 +1,10 @@
+[NetDev]
+Name=o
+Kind=macsec
+
+[MACsecReceiveChannel]
+MACAddress=12.0.4
+Port=913
+[MACsecReceiveChannel]
+MACAddress=12.0.4
+Port=913