From 569b4a71f087b7629b012c012a0b74b540340230 Mon Sep 17 00:00:00 2001
From: Skylar Chang <chiaweic@codeaurora.org>
Date: Wed, 15 Mar 2017 18:15:49 -0700
Subject: IPACM: fix security issue in querying if index

Fix the security issue in ipa_get_if_index() function.

Change-Id: I84d0dc85ae662b8744ae6f380122a096d8670ad0
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
Acked-by: Shihuan Liu <shihuanl@qti.qualcomm.com>
---
 data-ipa-cfg-mgr/ipacm/src/IPACM_Iface.cpp | 55 +++++++++++++++++-------------
 1 file changed, 31 insertions(+), 24 deletions(-)

(limited to 'data-ipa-cfg-mgr/ipacm/src/IPACM_Iface.cpp')

diff --git a/data-ipa-cfg-mgr/ipacm/src/IPACM_Iface.cpp b/data-ipa-cfg-mgr/ipacm/src/IPACM_Iface.cpp
index 84132c9..8c37d80 100644
--- a/data-ipa-cfg-mgr/ipacm/src/IPACM_Iface.cpp
+++ b/data-ipa-cfg-mgr/ipacm/src/IPACM_Iface.cpp
@@ -924,30 +924,37 @@ int IPACM_Iface::ipa_get_if_index
   int * if_index
 )
 {
-  int fd;
-  struct ifreq ifr;
-
-  if((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
-  {
-    IPACMERR("get interface index socket create failed \n");
-    return IPACM_FAILURE;
-  }
-
-  memset(&ifr, 0, sizeof(struct ifreq));
-  (void)strncpy(ifr.ifr_name, if_name, sizeof(ifr.ifr_name));
-  IPACMDBG_H("interface name (%s)\n", if_name);
-
-  if (ioctl(fd,SIOCGIFINDEX , &ifr) < 0)
-  {
-    IPACMERR("call_ioctl_on_dev: ioctl failed, interface name (%s):\n", ifr.ifr_name);
-    close(fd);
-    return IPACM_FAILURE;
-  }
-
-  *if_index = ifr.ifr_ifindex;
-  IPACMDBG_H("Interface index %d\n", *if_index);
-  close(fd);
-  return IPACM_SUCCESS;
+	int fd;
+	struct ifreq ifr;
+
+	if((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
+	{
+		IPACMERR("get interface index socket create failed \n");
+		return IPACM_FAILURE;
+	}
+
+	if(strlen(if_name) >= sizeof(ifr.ifr_name))
+	{
+		IPACMERR("interface name overflows: len %d\n", strlen(if_name));
+		close(fd);
+		return IPACM_FAILURE;
+	}
+
+	memset(&ifr, 0, sizeof(struct ifreq));
+	(void)strlcpy(ifr.ifr_name, if_name, sizeof(ifr.ifr_name));
+	IPACMDBG_H("interface name (%s)\n", if_name);
+
+	if(ioctl(fd,SIOCGIFINDEX , &ifr) < 0)
+	{
+		IPACMERR("call_ioctl_on_dev: ioctl failed, interface name (%s):\n", ifr.ifr_name);
+		close(fd);
+		return IPACM_FAILURE;
+	}
+
+	*if_index = ifr.ifr_ifindex;
+	IPACMDBG_H("Interface index %d\n", *if_index);
+	close(fd);
+	return IPACM_SUCCESS;
 }
 
 void IPACM_Iface::config_ip_type(ipa_ip_type iptype)
-- 
cgit v1.2.3