From e405c2f196ea77ba74438ec90545fda56f8f0444 Mon Sep 17 00:00:00 2001 From: Stefan Sperling Date: Wed, 21 Nov 2018 14:52:43 +0100 Subject: replace bogus memcpy() call in ippool_newip() When copying an address to a reused static hash table member with memcpy(), this code mistakenly passed the size of a pointer as the amount of bytes to be copied, rather than the actual size of the address. This means the IP pool could contain bogus IP addresses because only addr->len (a uint8_t) and 3 further bytes of the address were actually copied on 32 bit platforms. On 64 bit platforms, a sufficient amount of bytes were copied for IPv4 to work correctly, but too few bytes were copied for IPv6. This problem was found by Coverity. Replace the bogus memcpy() call with direct assignments to the appropriate struct in64addr union members, and assert that the length recorded for the address actually corresponds to the length used by the address family (IP4, IPv6). Change-Id: Ic21560f7519e776107485a8779702fb1279d065c Related: CID#57921 --- lib/ippool.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/ippool.c b/lib/ippool.c index 6ce3cda..36121ee 100644 --- a/lib/ippool.c +++ b/lib/ippool.c @@ -512,7 +512,15 @@ int ippool_newip(struct ippool_t *this, struct ippoolm_t **member, p2->next = NULL; p2->prev = NULL; p2->inuse = 2; /* Static address in use */ - memcpy(&p2->addr, addr, sizeof(addr)); + /* p2->addr.len and addr->len already match (see above). */ + if (p2->addr.len == sizeof(struct in_addr)) + p2->addr.v4 = addr->v4; + else if (p2->addr.len == sizeof(struct in6_addr)) + p2->addr.v6 = addr->v6; + else { + SYS_ERR(DIP, LOGL_ERROR, 0, "MS requested unsupported PDP context type"); + return -GTPCAUSE_UNKNOWN_PDP; + } *member = p2; (void)ippool_hashadd(this, *member); if (0) -- cgit v1.2.3