network/ndisc: refuse too many PREF64 prefixes

Follow-up for 6e8f5e4c1f5fcdb3b63343268936f9c269b6a209.

Addresses https://github.com/systemd/systemd/pull/29009#issuecomment-1705700926.

1 files changed, 9 insertions, 1 deletions

diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
index 4038cd7347..f24f1f30fc 100644
--- a/src/network/networkd-ndisc.c
+++ b/src/network/networkd-ndisc.c
@@ -27,9 +27,12 @@
 
 #define NDISC_DNSSL_MAX 64U
 #define NDISC_RDNSS_MAX 64U
-/* Not defined RFC, but let's set an upper limit to make not consume much memory.
+/* Not defined in the RFC, but let's set an upper limit to make not consume much memory.
  * This should be safe as typically there should be at most 1 portal per network. */
 #define NDISC_CAPTIVE_PORTAL_MAX 64U
+/* Neither defined in the RFC. Just for safety. Otherwise, malformed messages can make clients trigger OOM.
+ * Not sure if the threshold is high enough. Let's adjust later if not. */
+#define NDISC_PREF64_MAX 64U
 
 bool link_ipv6_accept_ra_enabled(Link *link) {
         assert(link);
@@ -1051,6 +1054,11 @@ static int ndisc_router_process_pref64(Link *link, sd_ndisc_router *rt) {
                 return 0;
         }
 
+        if (set_size(link->ndisc_pref64) >= NDISC_PREF64_MAX) {
+                log_link_debug(link, "Too many PREF64 records received. Only first %u records will be used.", NDISC_PREF64_MAX);
+                return 0;
+        }
+
         new_entry = new(NDiscPREF64, 1);
         if (!new_entry)
                 return log_oom();