fix double free in macsec_receive_channel_free() and fix crash in network L2TP

network-L2TP-fix-crash.patch

@@ -0,0 +1,59 @@
+From a1422af564e3b1128fc7754596b4c2f8b36a4620 Mon Sep 17 00:00:00 2001
+From: Susant Sahani <ssahani@vmware.com>
+Date: Sat, 30 May 2020 06:35:28 +0200
+Subject: [PATCH] network: L2TP fix crash
+
+```
+=220358== Invalid read of size 8
+==220358==    at 0x452F05: l2tp_session_free (l2tp-tunnel.c:46)
+==220358==    by 0x456926: l2tp_tunnel_done (l2tp-tunnel.c:725)
+==220358==    by 0x43CF4D: netdev_free (netdev.c:205)
+==220358==    by 0x43D045: netdev_unref (netdev.c:210)
+==220358==    by 0x4198B7: manager_free (networkd-manager.c:1877)
+==220358==    by 0x40D0B3: manager_freep (networkd-manager.h:105)
+==220358==    by 0x40DE1C: run (networkd.c:21)
+==220358==    by 0x40DE75: main (networkd.c:130)
+==220358==  Address 0x5c035d0 is 0 bytes inside a block of size 40 free'd
+==220358==    at 0x483A9F5: free (vg_replace_malloc.c:538)
+==220358==    by 0x452F87: l2tp_session_free (l2tp-tunnel.c:57)
+==220358==    by 0x456857: netdev_l2tp_tunnel_verify (l2tp-tunnel.c:710)
+==220358==    by 0x440947: netdev_load_one (netdev.c:738)
+==220358==    by 0x441222: netdev_load (netdev.c:851)
+==220358==    by 0x419C50: manager_load_config (networkd-manager.c:1934)
+==220358==    by 0x40D7BE: run (networkd.c:87)
+==220358==    by 0x40DE75: main (networkd.c:130)
+==220358==  Block was alloc'd at
+==220358==    at 0x4839809: malloc (vg_replace_malloc.c:307)
+==220358==    by 0x452A76: malloc_multiply (alloc-util.h:96)
+==220358==    by 0x4531E6: l2tp_session_new_static (l2tp-tunnel.c:82)
+==220358==    by 0x455C01: config_parse_l2tp_session_id (l2tp-tunnel.c:535)
+==220358==    by 0x48E6D72: next_assignment (conf-parser.c:133)
+==220358==    by 0x48E77A3: parse_line (conf-parser.c:271)
+==220358==    by 0x48E7E4F: config_parse (conf-parser.c:396)
+==220358==    by 0x48E80E5: config_parse_many_files (conf-parser.c:453)
+==220358==    by 0x48E8490: config_parse_many (conf-parser.c:512)
+==220358==    by 0x44089C: netdev_load_one (netdev.c:729)
+==220358==    by 0x441222: netdev_load (netdev.c:851)
+==220358==    by 0x419C50: manager_load_config (networkd-manager.c:1934)
+
+```
+---
+ src/network/netdev/l2tp-tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network/netdev/l2tp-tunnel.c b/src/network/netdev/l2tp-tunnel.c
+index 19683c0a00..91788c3681 100644
+--- a/src/network/netdev/l2tp-tunnel.c
++++ b/src/network/netdev/l2tp-tunnel.c
+@@ -44,7 +44,7 @@ static void l2tp_session_free(L2tpSession *s) {
+                 return;
+ 
+         if (s->tunnel && s->section)
+-                ordered_hashmap_remove(s->tunnel->sessions_by_section, s);
++                ordered_hashmap_remove(s->tunnel->sessions_by_section, s->section);
+ 
+         network_config_section_free(s->section);
+ 
+-- 
+2.23.0
+

network-fix-double-free-in-macsec_receive_channel_fr.patch

@@ -0,0 +1,45 @@
+From 0e77fc66bceb9832da82a56a4c1040fe49f8d805 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Fri, 29 May 2020 16:56:09 +0900
+Subject: [PATCH] network: fix double free in macsec_receive_channel_free()
+
+Fixes #15941.
+Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22547
+---
+ src/network/netdev/macsec.c                 |  2 +-
+ test/fuzz/fuzz-netdev-parser/oss-fuzz-22547 | 10 ++++++++++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+ create mode 100644 test/fuzz/fuzz-netdev-parser/oss-fuzz-22547
+
+diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
+index 3542f9652a..8f7559e9ae 100644
+--- a/src/network/netdev/macsec.c
++++ b/src/network/netdev/macsec.c
+@@ -102,7 +102,7 @@ static void macsec_receive_channel_free(ReceiveChannel *c) {
+ 
+         if (c->macsec) {
+                 if (c->sci.as_uint64 > 0)
+-                        ordered_hashmap_remove(c->macsec->receive_channels, &c->sci.as_uint64);
++                        ordered_hashmap_remove_value(c->macsec->receive_channels, &c->sci.as_uint64, c);
+ 
+                 if (c->section)
+                         ordered_hashmap_remove(c->macsec->receive_channels_by_section, c->section);
+diff --git a/test/fuzz/fuzz-netdev-parser/oss-fuzz-22547 b/test/fuzz/fuzz-netdev-parser/oss-fuzz-22547
+new file mode 100644
+index 0000000000..ca55a33ae9
+--- /dev/null
++++ b/test/fuzz/fuzz-netdev-parser/oss-fuzz-22547
+@@ -0,0 +1,10 @@
++[NetDev]
++Name=o
++Kind=macsec
++
++[MACsecReceiveChannel]
++MACAddress=12.0.4
++Port=913
++[MACsecReceiveChannel]
++MACAddress=12.0.4
++Port=913
+-- 
+2.23.0
+

systemd.spec

@@ -16,7 +16,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        243
-Release:        23
+Release:        24
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager
 
@@ -86,6 +86,8 @@ Patch0037:      revert-shared-unit-file-add-a-function-to-validate-u.patch
 
 Patch0038:      systemd-Fix-busctl-crash-on-aarch64-when-setting-out.patch
 Patch0039:      seccomp-more-comprehensive-protection-against-libsec.patch
+Patch0040:      network-fix-double-free-in-macsec_receive_channel_fr.patch
+Patch0041:      network-L2TP-fix-crash.patch
 
 #openEuler
 Patch9002:      1509-fix-journal-file-descriptors-leak-problems.patch
@@ -1478,6 +1480,13 @@ fi
 %exclude /usr/share/man/man3/*
 
 %changelog
+* Thu May 28 2020 openEuler Buildteam <buildteam@openeuler.org> - 243-24
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC:fix double free in macsec_receive_channel_free() and 
+       fix crash in network L2TP
+
 * Thu May 28 2020 openEuler Buildteam <buildteam@openeuler.org> - 243-23
 - Type:enhancement
 - ID:NA