Merge "IPACM: fix security issue in querying if index"
diff --git a/ipacm/inc/IPACM_Config.h b/ipacm/inc/IPACM_Config.h
index 5bcb4eb..1750310 100644
--- a/ipacm/inc/IPACM_Config.h
+++ b/ipacm/inc/IPACM_Config.h
@@ -135,8 +135,8 @@
uint8_t bridge_mac[IPA_MAC_ADDR_SIZE];
/* Store the flt rule count for each producer client*/
- int flt_rule_count_v4[IPA_CLIENT_CONS - IPA_CLIENT_PROD];
- int flt_rule_count_v6[IPA_CLIENT_CONS - IPA_CLIENT_PROD];
+ int flt_rule_count_v4[IPA_CLIENT_MAX];
+ int flt_rule_count_v6[IPA_CLIENT_MAX];
/* IPACM routing table name for v4/v6 */
struct ipa_ioc_get_rt_tbl rt_tbl_lan_v4, rt_tbl_wan_v4, rt_tbl_default_v4, rt_tbl_v6, rt_tbl_wan_v6;
@@ -152,7 +152,7 @@
inline void increaseFltRuleCount(int index, ipa_ip_type iptype, int increment)
{
- if((index >= IPA_CLIENT_CONS - IPA_CLIENT_PROD) || (index < 0))
+ if((index >= IPA_CLIENT_MAX) || (index < 0))
{
IPACMERR("Index is out of range: %d.\n", index);
return;
@@ -172,7 +172,7 @@
inline void decreaseFltRuleCount(int index, ipa_ip_type iptype, int decrement)
{
- if((index >= IPA_CLIENT_CONS - IPA_CLIENT_PROD) || (index < 0))
+ if((index >= IPA_CLIENT_MAX) || (index < 0))
{
IPACMERR("Index is out of range: %d.\n", index);
return;
@@ -192,7 +192,7 @@
inline int getFltRuleCount(int index, ipa_ip_type iptype)
{
- if((index >= IPA_CLIENT_CONS - IPA_CLIENT_PROD) || (index < 0))
+ if((index >= IPA_CLIENT_MAX) || (index < 0))
{
IPACMERR("Index is out of range: %d.\n", index);
return -1;
diff --git a/ipacm/src/IPACM_Config.cpp b/ipacm/src/IPACM_Config.cpp
index 4b02b57..a355883 100644
--- a/ipacm/src/IPACM_Config.cpp
+++ b/ipacm/src/IPACM_Config.cpp
@@ -144,8 +144,8 @@
qmap_id = ~0;
- memset(flt_rule_count_v4, 0, (IPA_CLIENT_CONS - IPA_CLIENT_PROD)*sizeof(int));
- memset(flt_rule_count_v6, 0, (IPA_CLIENT_CONS - IPA_CLIENT_PROD)*sizeof(int));
+ memset(flt_rule_count_v4, 0, IPA_CLIENT_MAX*sizeof(int));
+ memset(flt_rule_count_v6, 0, IPA_CLIENT_MAX*sizeof(int));
memset(bridge_mac, 0, IPA_MAC_ADDR_SIZE*sizeof(uint8_t));
IPACMDBG_H(" create IPACM_Config constructor\n");
diff --git a/ipacm/src/IPACM_ConntrackClient.cpp b/ipacm/src/IPACM_ConntrackClient.cpp
index 146cedb..23724fd 100644
--- a/ipacm/src/IPACM_ConntrackClient.cpp
+++ b/ipacm/src/IPACM_ConntrackClient.cpp
@@ -169,10 +169,18 @@
uint32_t ipv4_addr;
struct ifreq ifr;
+ if(strlen(IPACM_Iface::ipacmcfg->ipa_virtual_iface_name) >= sizeof(ifr.ifr_name))
+ {
+ IPACMERR("interface name overflows: len %d\n",
+ strlen(IPACM_Iface::ipacmcfg->ipa_virtual_iface_name));
+ close(fd);
+ return -1;
+ }
+
/* retrieve bridge interface ipv4 address */
memset(&ifr, 0, sizeof(struct ifreq));
ifr.ifr_addr.sa_family = AF_INET;
- (void)strncpy(ifr.ifr_name, IPACM_Iface::ipacmcfg->ipa_virtual_iface_name, sizeof(ifr.ifr_name));
+ (void)strlcpy(ifr.ifr_name, IPACM_Iface::ipacmcfg->ipa_virtual_iface_name, sizeof(ifr.ifr_name));
IPACMDBG("bridge interface name (%s)\n", ifr.ifr_name);
ret = ioctl(fd, SIOCGIFADDR, &ifr);