diff options
author | Thomas Haller <thaller@redhat.com> | 2016-08-19 13:36:16 +0200 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2016-08-19 13:39:34 +0200 |
commit | 87fcbb491d4f0d9491b438ed5ae0096c3e8e06a0 (patch) | |
tree | 39d858050a43eb5535dcaa860088aca68c5abcdc | |
parent | cc828431b89340fc204e98e147ec1e065fca2fa6 (diff) | |
download | NetworkManager-87fcbb491d4f0d9491b438ed5ae0096c3e8e06a0.tar.gz |
vpn: fix out-of-range access reading route.plen in nm_vpn_connection_ip4_config_get()
Also, skip over routes with plen zero.
Fixes: 44768f0311deb9082c69e3525693091a59788ebb
https://bugzilla.redhat.com/show_bug.cgi?id=1368355
-rw-r--r-- | src/vpn-manager/nm-vpn-connection.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/vpn-manager/nm-vpn-connection.c b/src/vpn-manager/nm-vpn-connection.c index 53789093cb..ad4c6a2446 100644 --- a/src/vpn-manager/nm-vpn-connection.c +++ b/src/vpn-manager/nm-vpn-connection.c @@ -1437,6 +1437,7 @@ nm_vpn_connection_ip4_config_get (NMVpnConnection *self, GVariant *dict) } else if (g_variant_lookup (dict, NM_VPN_PLUGIN_IP4_CONFIG_ROUTES, "aau", &iter)) { while (g_variant_iter_next (iter, "@au", &v)) { NMPlatformIP4Route route = { 0, }; + guint32 plen; switch (g_variant_n_children (v)) { case 5: @@ -1444,14 +1445,15 @@ nm_vpn_connection_ip4_config_get (NMVpnConnection *self, GVariant *dict) /* fallthrough */ case 4: g_variant_get_child (v, 0, "u", &route.network); - g_variant_get_child (v, 1, "u", &route.plen); + g_variant_get_child (v, 1, "u", &plen); g_variant_get_child (v, 2, "u", &route.gateway); /* 4th item is unused route metric */ route.metric = route_metric; route.rt_source = NM_IP_CONFIG_SOURCE_VPN; - if (route.plen > 32) + if (plen > 32 || plen == 0) break; + route.plen = plen; /* Ignore host routes to the VPN gateway since NM adds one itself * below. Since NM knows more about the routing situation than |