ip6: fix crash when listing 0 nexthops

When no nexthops are configured, the ctx.nh array is NULL. Calling memcpy() on a NULL pointer results in undefined behaviour and sometimes invalid memory access. Apply the same fix than commit 9de2cd2 ("nexthop: fix crash when listing 0 nexthops"). Only call memcpy() if there is at least one nexthop to return. Unify how the address of the nexthop array is passed to memcpy. Fixes: 0fc1cd2 ("modules: add static ipv6 forwarding support") Signed-off-by: Robin Jarry <[email protected]>
DPDK · Nov 1, 2024 · 61f8a6b · 61f8a6b
1 parent b342398
commit 61f8a6b
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/modules/ip/control/nexthop.c b/modules/ip/control/nexthop.c
@@ -176,7 +176,7 @@ static struct api_out nh4_list(const void *request, void **response) {
 
 	resp->n_nhs = arrlen(ctx.nh);
 	if (ctx.nh != NULL)
-		memcpy(&resp->nhs, ctx.nh, arrlen(ctx.nh) * sizeof(*ctx.nh));
+		memcpy(resp->nhs, ctx.nh, resp->n_nhs * sizeof(resp->nhs[0]));
 	arrfree(ctx.nh);
 	*response = resp;
 

diff --git a/modules/ip6/control/nexthop.c b/modules/ip6/control/nexthop.c
@@ -178,7 +178,8 @@ static struct api_out nh6_list(const void *request, void **response) {
 	}
 
 	resp->n_nhs = arrlen(ctx.nh);
-	memcpy(&resp->nhs, ctx.nh, arrlen(ctx.nh) * sizeof(*ctx.nh));
+	if (ctx.nh != NULL)
+		memcpy(resp->nhs, ctx.nh, resp->n_nhs * sizeof(resp->nhs[0]));
 	arrfree(ctx.nh);
 	*response = resp;