From 0b68cabeb40d6e24a677a9332d3f3db163b5d723 Mon Sep 17 00:00:00 2001 From: Hans Dedecker Date: Thu, 5 Dec 2013 13:54:19 +0100 Subject: [PATCH 1/1] Fix possible SEGFAULT conditions --- src/config.c | 33 ++++++++++++++++++++++++++++-- src/dhcpv4.c | 19 ++++++++++++++++- src/dhcpv6-ia.c | 63 ++++++++++++++++++++++++++++++++++++--------------------- src/dhcpv6.c | 8 ++++++-- src/ndp.c | 9 +++++++++ src/router.c | 5 +++++ 6 files changed, 109 insertions(+), 28 deletions(-) diff --git a/src/config.c b/src/config.c index e9a61a9..98a826f 100644 --- a/src/config.c +++ b/src/config.c @@ -218,6 +218,8 @@ static int set_lease(struct uci_section *s) hostlen = blobmsg_data_len(c); struct lease *lease = calloc(1, sizeof(*lease) + hostlen); + if (!lease) + goto err; if (hostlen > 1) memcpy(lease->hostname, blobmsg_get_string(c), hostlen); @@ -233,6 +235,9 @@ static int set_lease(struct uci_section *s) if ((c = tb[LEASE_ATTR_DUID])) { size_t duidlen = (blobmsg_data_len(c) - 1) / 2; lease->duid = malloc(duidlen); + if (!lease->duid) + goto err; + ssize_t len = odhcpd_unhexlify(lease->duid, duidlen, blobmsg_get_string(c)); @@ -251,8 +256,10 @@ static int set_lease(struct uci_section *s) return 0; err: - free(lease->duid); - free(lease); + if (lease) { + free(lease->duid); + free(lease); + } return -1; } @@ -271,6 +278,9 @@ int config_parse_interface(void *data, size_t len, const char *name, bool overwr struct interface *iface = get_interface(name); if (!iface) { iface = calloc(1, sizeof(*iface)); + if (!iface) + return -1; + strncpy(iface->name, name, sizeof(iface->name) - 1); list_add(&iface->head, &interfaces); } @@ -348,6 +358,9 @@ int config_parse_interface(void *data, size_t len, const char *name, bool overwr iface->upstream = realloc(iface->upstream, iface->upstream_len + blobmsg_data_len(cur)); + if (!iface->upstream) + goto err; + memcpy(iface->upstream + iface->upstream_len, blobmsg_get_string(cur), blobmsg_data_len(cur)); iface->upstream_len += blobmsg_data_len(cur); } @@ -396,10 +409,16 @@ int config_parse_interface(void *data, size_t len, const char *name, bool overwr if (inet_pton(AF_INET, blobmsg_get_string(cur), &addr4) == 1) { iface->dhcpv4_dns = realloc(iface->dhcpv4_dns, (++iface->dhcpv4_dns_cnt) * sizeof(*iface->dhcpv4_dns)); + if (!iface->dhcpv4_dns) + goto err; + iface->dhcpv4_dns[iface->dhcpv4_dns_cnt - 1] = addr4; } else if (inet_pton(AF_INET6, blobmsg_get_string(cur), &addr6) == 1) { iface->dns = realloc(iface->dns, (++iface->dns_cnt) * sizeof(*iface->dns)); + if (!iface->dns) + goto err; + iface->dns[iface->dns_cnt - 1] = addr6; } else { goto err; @@ -421,6 +440,9 @@ int config_parse_interface(void *data, size_t len, const char *name, bool overwr goto err; iface->search = realloc(iface->search, iface->search_len + len); + if (!iface->search) + goto err; + memcpy(&iface->search[iface->search_len], buf, len); iface->search_len += len; } @@ -467,6 +489,9 @@ int config_parse_interface(void *data, size_t len, const char *name, bool overwr int len = blobmsg_data_len(cur); iface->static_ndp = realloc(iface->static_ndp, iface->static_ndp_len + len); + if (!iface->static_ndp) + goto err; + memcpy(&iface->static_ndp[iface->static_ndp_len], blobmsg_get_string(cur), len); iface->static_ndp_len += len; } @@ -499,6 +524,10 @@ void odhcpd_reload(void) } struct interface *master = NULL, *i, *n; + + if (!uci) + return; + list_for_each_entry(i, &interfaces, head) clean_interface(i); diff --git a/src/dhcpv4.c b/src/dhcpv4.c index 79fabe2..49b75f4 100644 --- a/src/dhcpv4.c +++ b/src/dhcpv4.c @@ -61,6 +61,11 @@ int setup_dhcpv4_interface(struct interface *iface, bool enable) INIT_LIST_HEAD(&iface->dhcpv4_assignments); int sock = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, IPPROTO_UDP); + if (sock < 0) { + syslog(LOG_ERR, "Failed to create DHCPv4 server socket: %s", + strerror(errno)); + return -1; + } // Basic IPv6 configuration int val = 1; @@ -139,7 +144,11 @@ int setup_dhcpv4_interface(struct interface *iface, bool enable) // Construct entry size_t hostlen = strlen(lease->hostname) + 1; struct dhcpv4_assignment *a = calloc(1, sizeof(*a) + hostlen); - + if (!a) { + syslog(LOG_ERR, "Calloc failed for static lease on interface %s", + iface->ifname); + return -1; + } a->addr = ntohl(lease->ipaddr.s_addr); memcpy(a->hwaddr, lease->mac.ether_addr_octet, sizeof(a->hwaddr)); memcpy(a->hostname, lease->hostname, hostlen); @@ -470,6 +479,10 @@ static struct dhcpv4_assignment* dhcpv4_lease(struct interface *iface, if (!a && !iface->no_dynamic_dhcp) { // Create new binding a = calloc(1, sizeof(*a) + hostlen); + if (!a) { + syslog(LOG_ERR, "Failed to calloc binding on interface %s", iface->ifname); + return NULL; + } memcpy(a->hwaddr, mac, sizeof(a->hwaddr)); memcpy(a->hostname, hostname, hostlen); @@ -478,6 +491,10 @@ static struct dhcpv4_assignment* dhcpv4_lease(struct interface *iface, if (assigned && !a->hostname[0] && hostname) { a = realloc(a, sizeof(*a) + hostlen); + if (!a) { + syslog(LOG_ERR, "Failed to realloc binding on interface %s", iface->ifname); + return NULL; + } memcpy(a->hostname, hostname, hostlen); // Fixup list diff --git a/src/dhcpv6-ia.c b/src/dhcpv6-ia.c index 3defa84..205b617 100644 --- a/src/dhcpv6-ia.c +++ b/src/dhcpv6-ia.c @@ -63,6 +63,11 @@ int setup_dhcpv6_ia_interface(struct interface *iface, bool enable) if (list_empty(&iface->ia_assignments)) { struct dhcpv6_assignment *border = calloc(1, sizeof(*border)); + if (!border) { + syslog(LOG_ERR, "Calloc failed for border on interface %s", iface->ifname); + return -1; + } + border->length = 64; list_add(&border->head, &iface->ia_assignments); } @@ -74,6 +79,12 @@ int setup_dhcpv6_ia_interface(struct interface *iface, bool enable) list_for_each_entry(lease, &leases, head) { // Construct entry struct dhcpv6_assignment *a = calloc(1, sizeof(*a) + lease->duid_len); + if (!a) { + syslog(LOG_ERR, "Calloc failed for static lease assignment on interface %s", + iface->ifname); + return -1; + } + a->clid_len = lease->duid_len; a->length = 128; a->assigned = lease->hostid; @@ -885,7 +896,8 @@ size_t dhcpv6_handle_ia(uint8_t *buf, size_t buflen, struct interface *iface, a->all_class = class_oro; a->classes_cnt = classes_cnt; a->classes = realloc(a->classes, classes_cnt * sizeof(uint16_t)); - memcpy(a->classes, classes, classes_cnt * sizeof(uint16_t)); + if (a->classes) + memcpy(a->classes, classes, classes_cnt * sizeof(uint16_t)); break; } } @@ -897,28 +909,31 @@ size_t dhcpv6_handle_ia(uint8_t *buf, size_t buflen, struct interface *iface, if (!a && !iface->no_dynamic_dhcp) { // Create new binding a = calloc(1, sizeof(*a) + clid_len); - a->clid_len = clid_len; - a->iaid = ia->iaid; - a->length = reqlen; - a->peer = *addr; - a->assigned = reqhint; - a->all_class = class_oro; - a->classes_cnt = classes_cnt; - if (classes_cnt) { - a->classes = malloc(classes_cnt * sizeof(uint16_t)); - memcpy(a->classes, classes, classes_cnt * sizeof(uint16_t)); - } + if (a) { + a->clid_len = clid_len; + a->iaid = ia->iaid; + a->length = reqlen; + a->peer = *addr; + a->assigned = reqhint; + a->all_class = class_oro; + a->classes_cnt = classes_cnt; + if (classes_cnt) { + a->classes = malloc(classes_cnt * sizeof(uint16_t)); + if (a->classes) + memcpy(a->classes, classes, classes_cnt * sizeof(uint16_t)); + } - if (first) - memcpy(a->key, first->key, sizeof(a->key)); - else - odhcpd_urandom(a->key, sizeof(a->key)); - memcpy(a->clid_data, clid_data, clid_len); + if (first) + memcpy(a->key, first->key, sizeof(a->key)); + else + odhcpd_urandom(a->key, sizeof(a->key)); + memcpy(a->clid_data, clid_data, clid_len); - if (is_pd) - while (!(assigned = assign_pd(iface, a)) && ++a->length <= 64); - else - assigned = assign_na(iface, a); + if (is_pd) + while (!(assigned = assign_pd(iface, a)) && ++a->length <= 64); + else + assigned = assign_na(iface, a); + } } if (!assigned || iface->ia_addr_len == 0) { // Set error status @@ -959,8 +974,10 @@ size_t dhcpv6_handle_ia(uint8_t *buf, size_t buflen, struct interface *iface, } else if (assigned && hdr->msg_type == DHCPV6_MSG_REQUEST) { if (hostname_len > 0) { a->hostname = realloc(a->hostname, hostname_len + 1); - memcpy(a->hostname, hostname, hostname_len); - a->hostname[hostname_len] = 0; + if (a->hostname) { + memcpy(a->hostname, hostname, hostname_len); + a->hostname[hostname_len] = 0; + } } a->accept_reconf = accept_reconf; apply_lease(iface, a, true); diff --git a/src/dhcpv6.c b/src/dhcpv6.c index 9515f40..7560a75 100644 --- a/src/dhcpv6.c +++ b/src/dhcpv6.c @@ -40,6 +40,11 @@ static struct odhcpd_event dhcpv6_event = {{.fd = -1}, handle_dhcpv6}; int init_dhcpv6(void) { int sock = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, IPPROTO_UDP); + if (sock < 0) { + syslog(LOG_ERR, "Failed to create DHCPv6 server socket: %s", + strerror(errno)); + return -1; + } // Basic IPv6 configuration int val = 1; @@ -91,8 +96,7 @@ int setup_dhcpv6_interface(struct interface *iface, bool enable) IPV6_ADD_MEMBERSHIP, &server, sizeof(server)); } - setup_dhcpv6_ia_interface(iface, enable); - return 0; + return setup_dhcpv6_ia_interface(iface, enable); } diff --git a/src/ndp.c b/src/ndp.c index 89bcd3c..bd62068 100644 --- a/src/ndp.c +++ b/src/ndp.c @@ -160,10 +160,19 @@ int setup_ndp_interface(struct interface *iface, bool enable) if (iface->static_ndp_len) { char *entry = alloca(iface->static_ndp_len), *saveptr; + if (!entry) { + syslog(LOG_ERR, "Alloca failed for static NDP list"); + return -1; + } memcpy(entry, iface->static_ndp, iface->static_ndp_len); for (entry = strtok_r(entry, " ", &saveptr); entry; entry = strtok_r(NULL, " ", &saveptr)) { struct ndp_neighbor *n = malloc(sizeof(*n)); + if (!n) { + syslog(LOG_ERR, "Malloc failed for static NDP-prefix %s", entry); + return -1; + } + n->iface = iface; n->timeout = 0; diff --git a/src/router.c b/src/router.c index 5abf1e6..83da938 100644 --- a/src/router.c +++ b/src/router.c @@ -353,6 +353,11 @@ static void send_router_advert(struct uloop_timeout *event) uint32_t lifetime; uint8_t name[]; } *search = alloca(sizeof(*search) + search_padded); + + if (!search) { + syslog(LOG_ERR, "Alloca failed for dns search on interface %s", iface->ifname); + return; + } search->type = ND_OPT_DNS_SEARCH; search->len = search_len ? ((sizeof(*search) + search_padded) / 8) : 0; search->pad = 0; -- 2.11.0