diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2018-04-17 17:58:24 +0200 |
---|---|---|
committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2018-04-18 08:57:56 +0000 |
commit | 8fb458667d4efca3def3827c31768f10387a05cb (patch) | |
tree | 142cf73db4841cf57b2d28a9812bf9f68e5ec23e /src | |
parent | a4399c8891ec3302a08ab11da6827ef762024c50 (diff) |
osmo_get_macaddr: Fix buffer read out of bounds
Catched by address sanitizer in osmo-bts-trx during osmo-gsm-tester test
run.
==25503==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55b4e8468780 at pc 0x7fd824f543ba bp 0x7fffc21009f0 sp 0x7fffc21009e8
READ of size 16 at 0x55b4e8468780 thread T0
#0 0x7fd824f543b9 in osmo_get_macaddr libosmocore/src/macaddr.c:132
#1 0x55b4e842df33 in abis_open osmo-bts/src/common/abis.c:256
#2 0x55b4e84286c9 in bts_main osmo-bts/src/common/main.c:342
#3 0x7fd8235ab2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#4 0x55b4e838e759 in _start (/home/jenkins/workspace/osmo-gsm-tester_run-prod/trial-807/inst/osmo-bts/bin/osmo-bts-trx+0xfc759)
Change-Id: I3727ef339279c8eeb85908735467bfd0e02ca259
Diffstat (limited to 'src')
-rw-r--r-- | src/macaddr.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/macaddr.c b/src/macaddr.c index afa7c936..de9d07af 100644 --- a/src/macaddr.c +++ b/src/macaddr.c @@ -113,6 +113,7 @@ int osmo_get_macaddr(uint8_t *mac_out, const char *dev_name) #include <net/if.h> #include <netinet/in.h> #include <netinet/ip.h> +#include <errno.h> /*! Obtain the MAC address of a given network device * \param[out] mac_out pointer to caller-allocated buffer of 6 bytes @@ -121,15 +122,19 @@ int osmo_get_macaddr(uint8_t *mac_out, const char *dev_name) */ int osmo_get_macaddr(uint8_t *mac_out, const char *dev_name) { - int fd, rc; + int fd, rc, dev_len; struct ifreq ifr; + dev_len = strlen(dev_name); + if (dev_len >= sizeof(ifr.ifr_name)) + return -EINVAL; + fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP); if (fd < 0) return fd; memset(&ifr, 0, sizeof(ifr)); - memcpy(&ifr.ifr_name, dev_name, sizeof(ifr.ifr_name)); + memcpy(&ifr.ifr_name, dev_name, dev_len + 1); rc = ioctl(fd, SIOCGIFHWADDR, &ifr); close(fd); |