From 61f8a6b85c992f1f2fee3dfdfe6c7ce1b461f8c6 Mon Sep 17 00:00:00 2001 From: Robin Jarry Date: Fri, 1 Nov 2024 10:23:11 +0100 Subject: [PATCH] ip6: fix crash when listing 0 nexthops When no nexthops are configured, the ctx.nh array is NULL. Calling memcpy() on a NULL pointer results in undefined behaviour and sometimes invalid memory access. Apply the same fix than commit 9de2cd2fc595 ("nexthop: fix crash when listing 0 nexthops"). Only call memcpy() if there is at least one nexthop to return. Unify how the address of the nexthop array is passed to memcpy. Fixes: 0fc1cd222b8e ("modules: add static ipv6 forwarding support") Signed-off-by: Robin Jarry --- modules/ip/control/nexthop.c | 2 +- modules/ip6/control/nexthop.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/ip/control/nexthop.c b/modules/ip/control/nexthop.c index 3a28d5b3..95a4911f 100644 --- a/modules/ip/control/nexthop.c +++ b/modules/ip/control/nexthop.c @@ -176,7 +176,7 @@ static struct api_out nh4_list(const void *request, void **response) { resp->n_nhs = arrlen(ctx.nh); if (ctx.nh != NULL) - memcpy(&resp->nhs, ctx.nh, arrlen(ctx.nh) * sizeof(*ctx.nh)); + memcpy(resp->nhs, ctx.nh, resp->n_nhs * sizeof(resp->nhs[0])); arrfree(ctx.nh); *response = resp; diff --git a/modules/ip6/control/nexthop.c b/modules/ip6/control/nexthop.c index 64f6d079..9c503291 100644 --- a/modules/ip6/control/nexthop.c +++ b/modules/ip6/control/nexthop.c @@ -178,7 +178,8 @@ static struct api_out nh6_list(const void *request, void **response) { } resp->n_nhs = arrlen(ctx.nh); - memcpy(&resp->nhs, ctx.nh, arrlen(ctx.nh) * sizeof(*ctx.nh)); + if (ctx.nh != NULL) + memcpy(resp->nhs, ctx.nh, resp->n_nhs * sizeof(resp->nhs[0])); arrfree(ctx.nh); *response = resp;