diff options
| author | Thomas Haller <thaller@redhat.com> | 2022-12-05 13:04:17 +0100 |
|---|---|---|
| committer | Thomas Haller <thaller@redhat.com> | 2022-12-09 12:47:51 +0100 |
| commit | a59b9b629268dbc98fab62a9d6bbe63e3987e354 (patch) | |
| tree | 791c402e0f299368cc79c2ff5080bf4154a57888 | |
| parent | 677be52f7109c248a2ea35393871fd6c2f67560a (diff) | |
core: fix out-of-bounds for nm_utils_get_ipv6_interface_identifier()
For link type NM_LINK_TYPE_6LOWPAN, nm_utils_get_ipv6_interface_identifier()
expects 8 bytes hardware address. It even just accesses the buffer
without checking (that needs to be fixed too).
For 6lowpan devices, the caller might construct a fake ethernet MAC
address, which is only 6 bytes long. So wrong.
Fixes: 49844ea55f1c ('device: generate pseudo 48-bit address from the WPAN short one')
(cherry picked from commit 53d1d8ba91252fa545bd7d8779af3d3f88ef61e4)
| -rw-r--r-- | src/core/devices/nm-device.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c index 2f800d0d28..059e31f298 100644 --- a/src/core/devices/nm-device.c +++ b/src/core/devices/nm-device.c @@ -4838,6 +4838,7 @@ get_ip_iface_identifier(NMDevice *self, NMUtilsIPv6IfaceId *out_iid) NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self); NMPlatform *platform = nm_device_get_platform(self); const NMPlatformLink *pllink; + NMLinkType link_type; const guint8 *hwaddr; guint8 pseudo_hwaddr[ETH_ALEN]; gsize hwaddr_len; @@ -4856,6 +4857,8 @@ get_ip_iface_identifier(NMDevice *self, NMUtilsIPv6IfaceId *out_iid) if (hwaddr_len <= 0) return FALSE; + link_type = pllink->type; + if (pllink->type == NM_LINK_TYPE_6LOWPAN) { /* If the underlying IEEE 802.15.4 device has a short address we generate * a "pseudo 48-bit address" that's to be used in the same fashion as a @@ -4876,10 +4879,11 @@ get_ip_iface_identifier(NMDevice *self, NMUtilsIPv6IfaceId *out_iid) hwaddr = pseudo_hwaddr; hwaddr_len = G_N_ELEMENTS(pseudo_hwaddr); + link_type = NM_LINK_TYPE_ETHERNET; } } - success = nm_utils_get_ipv6_interface_identifier(pllink->type, + success = nm_utils_get_ipv6_interface_identifier(link_type, hwaddr, hwaddr_len, priv->dev_id, |