From 53d1d8ba91252fa545bd7d8779af3d3f88ef61e4 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Mon, 5 Dec 2022 13:04:17 +0100 Subject: [PATCH] core: fix out-of-bounds for nm_utils_get_ipv6_interface_identifier() For link type NM_LINK_TYPE_6LOWPAN, nm_utils_get_ipv6_interface_identifier() expects 8 bytes hardware address. It even just accesses the buffer without checking (that needs to be fixed too). For 6lowpan devices, the caller might construct a fake ethernet MAC address, which is only 6 bytes long. So wrong. Fixes: 49844ea55f1c ('device: generate pseudo 48-bit address from the WPAN short one') --- src/core/devices/nm-device.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/core/devices/nm-device.c b/src/core/devices/nm-device.c index 5301436855..67f58bada2 100644 --- a/src/core/devices/nm-device.c +++ b/src/core/devices/nm-device.c @@ -4848,6 +4848,7 @@ get_ip_iface_identifier(NMDevice *self, NMUtilsIPv6IfaceId *out_iid) NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self); NMPlatform *platform = nm_device_get_platform(self); const NMPlatformLink *pllink; + NMLinkType link_type; const guint8 *hwaddr; guint8 pseudo_hwaddr[ETH_ALEN]; gsize hwaddr_len; @@ -4866,6 +4867,8 @@ get_ip_iface_identifier(NMDevice *self, NMUtilsIPv6IfaceId *out_iid) if (hwaddr_len <= 0) return FALSE; + link_type = pllink->type; + if (pllink->type == NM_LINK_TYPE_6LOWPAN) { /* If the underlying IEEE 802.15.4 device has a short address we generate * a "pseudo 48-bit address" that's to be used in the same fashion as a @@ -4886,10 +4889,11 @@ get_ip_iface_identifier(NMDevice *self, NMUtilsIPv6IfaceId *out_iid) hwaddr = pseudo_hwaddr; hwaddr_len = G_N_ELEMENTS(pseudo_hwaddr); + link_type = NM_LINK_TYPE_ETHERNET; } } - success = nm_utils_get_ipv6_interface_identifier(pllink->type, + success = nm_utils_get_ipv6_interface_identifier(link_type, hwaddr, hwaddr_len, priv->dev_id,