Bug 742937 – [PATCH] platform: don't read past end of address array

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 742937 - [PATCH] platform: don't read past end of address array


Summary:	[PATCH] platform: don't read past end of address array


Status:	RESOLVED FIXED

Product:	NetworkManager
Classification:	Platform
Component:	IP and DNS config
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	NetworkManager maintainer(s)
QA Contact:	NetworkManager maintainer(s)

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2015-01-14 21:43 UTC by Dan Williams
Modified:	2015-02-25 14:09 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
0001-platform-don-t-read-past-end-of-address-array-bgo-74.patch (3.52 KB, patch) 2015-01-14 21:44 UTC, Dan Williams	none	Details \| Review

Description Dan Williams 2015-01-14 21:43:37 UTC

The address might be zero-size, and therefore nl_addr_get_binary_addr()
returns a pointer to a zero-size array.  We don't want to read past the
end of that array.  Since zero-size addresses really mean an address
of all zeros, just make that happen.

As an additional optimization, if the prefix length is zero, the whole
address is host bits and should be cleared.

==30286== Invalid read of size 4
==30286==    at 0x478090: clear_host_address (nm-linux-platform.c:3786)
==30286==    by 0x4784D4: route_search_cache (nm-linux-platform.c:3883)
==30286==    by 0x4785A1: refresh_route (nm-linux-platform.c:3901)
==30286==    by 0x4787B6: ip4_route_delete (nm-linux-platform.c:3978)
==30286==    by 0x47F674: nm_platform_ip4_route_delete (nm-platform.c:1980)
==30286==    by 0x4B279D: _v4_platform_route_delete_default (nm-default-route-manager.c:1122)
==30286==    by 0x4AEF03: _platform_route_sync_flush (nm-default-route-manager.c:320)
==30286==    by 0x4B043E: _resync_all (nm-default-route-manager.c:574)
==30286==    by 0x4B0CA7: _entry_at_idx_remove (nm-default-route-manager.c:631)
==30286==    by 0x4B1A66: _ipx_update_default_route (nm-default-route-manager.c:806)
==30286==    by 0x4B1A9C: nm_default_route_manager_ip4_update_default_route (nm-default-route-manager.c:813)
==30286==    by 0x45C3BC: _cleanup_generic_post (nm-device.c:7143)
==30286==  Address 0xee33514 is 0 bytes after a block of size 20 alloc'd
==30286==    at 0x4C2C080: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==30286==    by 0x6B2B0B1: nl_addr_alloc (in /usr/lib/libnl-3.so.200.20.0)
==30286==    by 0x6B2B0E3: nl_addr_build (in /usr/lib/libnl-3.so.200.20.0)
==30286==    by 0x6B2B181: nl_addr_clone (in /usr/lib/libnl-3.so.200.20.0)
==30286==    by 0x66DB0D7: ??? (in /usr/lib/libnl-route-3.so.200.20.0)
==30286==    by 0x6B33CE6: nl_object_clone (in /usr/lib/libnl-3.so.200.20.0)
==30286==    by 0x6B2D303: nl_cache_add (in /usr/lib/libnl-3.so.200.20.0)
==30286==    by 0x472E55: refresh_object (nm-linux-platform.c:1735)
==30286==    by 0x473137: add_object (nm-linux-platform.c:1795)
==30286==    by 0x478373: ip4_route_add (nm-linux-platform.c:3846)
==30286==    by 0x47F375: nm_platform_ip4_route_add (nm-platform.c:1939)
==30286==    by 0x4AEC06: _platform_route_sync_add (nm-default-route-manager.c:254)

Comment 1 Dan Williams 2015-01-14 21:44:21 UTC

Created attachment 294554 [details] [review]
0001-platform-don-t-read-past-end-of-address-array-bgo-74.patch

Comment 2 Thomas Haller 2015-01-15 10:59:03 UTC

LGTM

Comment 3 Dan Williams 2015-01-15 17:10:14 UTC

master: d2871089a879fd33efec8ca7de2a1850f76e3c4f
nm-1-0: 45c7adb309593b8e8734a7185e078b5b40787b07
nm-0-9-10: 93b318b6b43e9e49aa9c4142d80bfaa91ae08198