IPACM: fix the security issue in ConntrackClient
Fix the security issue in IPACM ConntrackClient.
Bug: 34361337
CRs-fixed: 2012248
Test: manual
Change-Id: Ia586d9916fc6391ffce436fba9b1ceae1220bc48
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
Acked-by: Shihuan Liu <shihuanl@qti.qualcomm.com>
Signed-off-by: Niranjan Pendharkar <npendhar@codeaurora.org>
(cherry picked from commit 7d710b75c78a6c60b71bd54ca30c84aa655b4d75)
diff --git a/msm8998/ipacm/src/IPACM_ConntrackClient.cpp b/msm8998/ipacm/src/IPACM_ConntrackClient.cpp
index 10154ea..ffb0088 100644
--- a/msm8998/ipacm/src/IPACM_ConntrackClient.cpp
+++ b/msm8998/ipacm/src/IPACM_ConntrackClient.cpp
@@ -173,10 +173,18 @@
uint32_t ipv4_addr;
struct ifreq ifr;
+ if(strlen(IPACM_Iface::ipacmcfg->ipa_virtual_iface_name) >= sizeof(ifr.ifr_name))
+ {
+ IPACMERR("interface name overflows: len %d\n",
+ strlen(IPACM_Iface::ipacmcfg->ipa_virtual_iface_name));
+ close(fd);
+ return -1;
+ }
+
/* retrieve bridge interface ipv4 address */
memset(&ifr, 0, sizeof(struct ifreq));
ifr.ifr_addr.sa_family = AF_INET;
- (void)strncpy(ifr.ifr_name, IPACM_Iface::ipacmcfg->ipa_virtual_iface_name, sizeof(ifr.ifr_name));
+ (void)strlcpy(ifr.ifr_name, IPACM_Iface::ipacmcfg->ipa_virtual_iface_name, sizeof(ifr.ifr_name));
IPACMDBG("bridge interface name (%s)\n", ifr.ifr_name);
ret = ioctl(fd, SIOCGIFADDR, &ifr);