[PATCH] libosmocore[master]: osmo_get_macaddr: Fix buffer read out of bounds

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Pau Espin Pedrol gerrit-no-reply at lists.osmocom.org
Tue Apr 17 16:20:06 UTC 2018


Hello Neels Hofmeyr, Jenkins Builder,

I'd like you to reexamine a change.  Please visit

    https://gerrit.osmocom.org/7863

to look at the new patch set (#2).

osmo_get_macaddr: Fix buffer read out of bounds

Catched by address sanitizer in osmo-bts-trx during osmo-gsm-tester test
run.

==25503==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55b4e8468780 at pc 0x7fd824f543ba bp 0x7fffc21009f0 sp 0x7fffc21009e8
READ of size 16 at 0x55b4e8468780 thread T0
    #0 0x7fd824f543b9 in osmo_get_macaddr libosmocore/src/macaddr.c:132
    #1 0x55b4e842df33 in abis_open osmo-bts/src/common/abis.c:256
    #2 0x55b4e84286c9 in bts_main osmo-bts/src/common/main.c:342
    #3 0x7fd8235ab2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #4 0x55b4e838e759 in _start (/home/jenkins/workspace/osmo-gsm-tester_run-prod/trial-807/inst/osmo-bts/bin/osmo-bts-trx+0xfc759)

Change-Id: I3727ef339279c8eeb85908735467bfd0e02ca259
---
M src/macaddr.c
1 file changed, 7 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/63/7863/2

diff --git a/src/macaddr.c b/src/macaddr.c
index afa7c93..de9d07a 100644
--- a/src/macaddr.c
+++ b/src/macaddr.c
@@ -113,6 +113,7 @@
 #include <net/if.h>
 #include <netinet/in.h>
 #include <netinet/ip.h>
+#include <errno.h>
 
 /*! Obtain the MAC address of a given network device
  *  \param[out] mac_out pointer to caller-allocated buffer of 6 bytes
@@ -121,15 +122,19 @@
  */
 int osmo_get_macaddr(uint8_t *mac_out, const char *dev_name)
 {
-	int fd, rc;
+	int fd, rc, dev_len;
 	struct ifreq ifr;
+
+	dev_len = strlen(dev_name);
+	if (dev_len >= sizeof(ifr.ifr_name))
+		return -EINVAL;
 
 	fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP);
 	if (fd < 0)
 		return fd;
 
 	memset(&ifr, 0, sizeof(ifr));
-	memcpy(&ifr.ifr_name, dev_name, sizeof(ifr.ifr_name));
+	memcpy(&ifr.ifr_name, dev_name, dev_len + 1);
 	rc = ioctl(fd, SIOCGIFHWADDR, &ifr);
 	close(fd);
 

-- 
To view, visit https://gerrit.osmocom.org/7863
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I3727ef339279c8eeb85908735467bfd0e02ca259
Gerrit-PatchSet: 2
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Owner: Pau Espin Pedrol <pespin at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Pau Espin Pedrol <pespin at sysmocom.de>



More information about the gerrit-log mailing list