replace bogus memcpy() call in ippool_newip()
When copying an address to a reused static hash table member with memcpy(), this code mistakenly passed the size of a pointer as the amount of bytes to be copied, rather than the actual size of the address. This means the IP pool could contain bogus IP addresses because only addr->len (a uint8_t) and 3 further bytes of the address were actually copied on 32 bit platforms. On 64 bit platforms, a sufficient amount of bytes were copied for IPv4 to work correctly, but too few bytes were copied for IPv6. This problem was found by Coverity. Replace the bogus memcpy() call with direct assignments to the appropriate struct in64addr union members, and assert that the length recorded for the address actually corresponds to the length used by the address family (IP4, IPv6). Change-Id: Ic21560f7519e776107485a8779702fb1279d065c Related: CID#57921
This commit is contained in:
Stefan Sperling
parent
411ff3b984
commit
e405c2f196
10
lib/ippool.c
10
lib/ippool.c
|
|
@ -512,7 +512,15 @@ int ippool_newip(struct ippool_t *this, struct ippoolm_t **member,
|
|||
p2->next = NULL;
|
||||
p2->prev = NULL;
|
||||
p2->inuse = 2; /* Static address in use */
|
||||
memcpy(&p2->addr, addr, sizeof(addr));
|
||||
/* p2->addr.len and addr->len already match (see above). */
|
||||
if (p2->addr.len == sizeof(struct in_addr))
|
||||
p2->addr.v4 = addr->v4;
|
||||
else if (p2->addr.len == sizeof(struct in6_addr))
|
||||
p2->addr.v6 = addr->v6;
|
||||
else {
|
||||
SYS_ERR(DIP, LOGL_ERROR, 0, "MS requested unsupported PDP context type");
|
||||
return -GTPCAUSE_UNKNOWN_PDP;
|
||||
}
|
||||
*member = p2;
|
||||
(void)ippool_hashadd(this, *member);
|
||||
if (0)
|
||||
|
|
|
|||
Loading…
Reference in New Issue