[incubator-nuttx] branch master updated: net: Fix memcpy() size used by SIOCSIFHWADDR for radios

Thu, 15 Sep 2022 11:59:53 -0700 

This is an automated email from the ASF dual-hosted git repository.

xiaoxiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx.git


The following commit(s) were added to refs/heads/master by this push:
     new 6c4bd5c5ef net: Fix memcpy() size used by SIOCSIFHWADDR for radios
6c4bd5c5ef is described below

commit 6c4bd5c5efea168a63ddb150cee1d0755a19c980
Author: Nathan Hartman <59230071+hartmannat...@users.noreply.github.com>
AuthorDate: Thu Sep 15 10:57:51 2022 -0400

    net: Fix memcpy() size used by SIOCSIFHWADDR for radios
    
    * net/netdev/netdev_ioctl.c:
      (netdev_ifr_ioctl): The ioctl SIOCSIFHWADDR sets the hardware address
       (e.g., Ethernet MAC, etc.) of a network interface. Radio devices may
       have different lengths of hardware addresses, such as
       NET_6LOWPAN_EADDRSIZE (8), NET_6LOWPAN_SADDRSIZE (2), or
       RADIO_MAX_ADDRLEN (8). Also, Kconfig CONFIG_PKTRADIO_ADDRLEN allows
       the user to set any arbitrary size. Note that while the sister ioctl
       SIOCGIFHWADDR "get hardware address" copies
       `dev->d_mac.radio.nv_addrlen` bytes, SIOCSIFHWADDR was copying
       NET_6LOWPAN_ADDRSIZE bytes unconditionally. Depending on which radio
       is used, this could be incorrect. Fixing it to use
       `dev->d_mac.radio.nv_addrlen` for SIOCSIFHWADDR as well. Also adding
       DEBUGASSERT to ensure this is within bounds of source and
       destination of the copy.
---
 net/netdev/netdev_ioctl.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/netdev/netdev_ioctl.c b/net/netdev/netdev_ioctl.c
index ed9ecf6645..a6facbe41f 100644
--- a/net/netdev/netdev_ioctl.c
+++ b/net/netdev/netdev_ioctl.c
@@ -950,8 +950,14 @@ static int netdev_ifr_ioctl(FAR struct socket *psock, int 
cmd,
             if (ret >= 0)
               {
                 dev->d_mac.radio.nv_addrlen = properties.sp_addrlen;
+
+                DEBUGASSERT(dev->d_mac.radio.nv_addrlen <=
+                            sizeof(dev->d_mac.radio.nv_addr));
+                DEBUGASSERT(dev->d_mac.radio.nv_addrlen <=
+                            sizeof(req->ifr_hwaddr.sa_data));
+
                 memcpy(dev->d_mac.radio.nv_addr,
-                       req->ifr_hwaddr.sa_data, NET_6LOWPAN_ADDRSIZE);
+                       req->ifr_hwaddr.sa_data, dev->d_mac.radio.nv_addrlen);
               }
           }
         else

Reply via email to