GNOME Bugzilla – Bug 742937
[PATCH] platform: don't read past end of address array
Last modified: 2015-02-25 14:09:02 UTC
The address might be zero-size, and therefore nl_addr_get_binary_addr() returns a pointer to a zero-size array. We don't want to read past the end of that array. Since zero-size addresses really mean an address of all zeros, just make that happen. As an additional optimization, if the prefix length is zero, the whole address is host bits and should be cleared. ==30286== Invalid read of size 4 ==30286== at 0x478090: clear_host_address (nm-linux-platform.c:3786) ==30286== by 0x4784D4: route_search_cache (nm-linux-platform.c:3883) ==30286== by 0x4785A1: refresh_route (nm-linux-platform.c:3901) ==30286== by 0x4787B6: ip4_route_delete (nm-linux-platform.c:3978) ==30286== by 0x47F674: nm_platform_ip4_route_delete (nm-platform.c:1980) ==30286== by 0x4B279D: _v4_platform_route_delete_default (nm-default-route-manager.c:1122) ==30286== by 0x4AEF03: _platform_route_sync_flush (nm-default-route-manager.c:320) ==30286== by 0x4B043E: _resync_all (nm-default-route-manager.c:574) ==30286== by 0x4B0CA7: _entry_at_idx_remove (nm-default-route-manager.c:631) ==30286== by 0x4B1A66: _ipx_update_default_route (nm-default-route-manager.c:806) ==30286== by 0x4B1A9C: nm_default_route_manager_ip4_update_default_route (nm-default-route-manager.c:813) ==30286== by 0x45C3BC: _cleanup_generic_post (nm-device.c:7143) ==30286== Address 0xee33514 is 0 bytes after a block of size 20 alloc'd ==30286== at 0x4C2C080: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==30286== by 0x6B2B0B1: nl_addr_alloc (in /usr/lib/libnl-3.so.200.20.0) ==30286== by 0x6B2B0E3: nl_addr_build (in /usr/lib/libnl-3.so.200.20.0) ==30286== by 0x6B2B181: nl_addr_clone (in /usr/lib/libnl-3.so.200.20.0) ==30286== by 0x66DB0D7: ??? (in /usr/lib/libnl-route-3.so.200.20.0) ==30286== by 0x6B33CE6: nl_object_clone (in /usr/lib/libnl-3.so.200.20.0) ==30286== by 0x6B2D303: nl_cache_add (in /usr/lib/libnl-3.so.200.20.0) ==30286== by 0x472E55: refresh_object (nm-linux-platform.c:1735) ==30286== by 0x473137: add_object (nm-linux-platform.c:1795) ==30286== by 0x478373: ip4_route_add (nm-linux-platform.c:3846) ==30286== by 0x47F375: nm_platform_ip4_route_add (nm-platform.c:1939) ==30286== by 0x4AEC06: _platform_route_sync_add (nm-default-route-manager.c:254)
Created attachment 294554 [details] [review] 0001-platform-don-t-read-past-end-of-address-array-bgo-74.patch
LGTM
master: d2871089a879fd33efec8ca7de2a1850f76e3c4f nm-1-0: 45c7adb309593b8e8734a7185e078b5b40787b07 nm-0-9-10: 93b318b6b43e9e49aa9c4142d80bfaa91ae08198