From eff2dc63b4e5821a99f78904e4a9b062e71e077b Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Fri, 19 Aug 2016 13:36:16 +0200 Subject: [PATCH] vpn: fix out-of-range access reading route.plen in nm_vpn_connection_ip4_config_get() Also, skip over routes with plen zero. Fixes: 44768f0311deb9082c69e3525693091a59788ebb https://bugzilla.redhat.com/show_bug.cgi?id=1368355 (cherry picked from commit 87fcbb491d4f0d9491b438ed5ae0096c3e8e06a0) --- src/vpn-manager/nm-vpn-connection.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/vpn-manager/nm-vpn-connection.c b/src/vpn-manager/nm-vpn-connection.c index 53789093cb..ad4c6a2446 100644 --- a/src/vpn-manager/nm-vpn-connection.c +++ b/src/vpn-manager/nm-vpn-connection.c @@ -1437,6 +1437,7 @@ nm_vpn_connection_ip4_config_get (NMVpnConnection *self, GVariant *dict) } else if (g_variant_lookup (dict, NM_VPN_PLUGIN_IP4_CONFIG_ROUTES, "aau", &iter)) { while (g_variant_iter_next (iter, "@au", &v)) { NMPlatformIP4Route route = { 0, }; + guint32 plen; switch (g_variant_n_children (v)) { case 5: @@ -1444,14 +1445,15 @@ nm_vpn_connection_ip4_config_get (NMVpnConnection *self, GVariant *dict) /* fallthrough */ case 4: g_variant_get_child (v, 0, "u", &route.network); - g_variant_get_child (v, 1, "u", &route.plen); + g_variant_get_child (v, 1, "u", &plen); g_variant_get_child (v, 2, "u", &route.gateway); /* 4th item is unused route metric */ route.metric = route_metric; route.rt_source = NM_IP_CONFIG_SOURCE_VPN; - if (route.plen > 32) + if (plen > 32 || plen == 0) break; + route.plen = plen; /* Ignore host routes to the VPN gateway since NM adds one itself * below. Since NM knows more about the routing situation than