Potential out of bounds memory access in src/modules/network.cpp #4666
Description
While trying to find the cause of a bug I found this section in src/modules/network.cpp:
char ipaddr[INET6_ADDRSTRLEN];
if (!is_del_event) {
if ((net->addr_pref_ == ip_addr_pref::IPV4 ||
net->addr_pref_ == ip_addr_pref::IPV4_6) &&
net->cidr_ == 0 && ifa->ifa_family == AF_INET) {
net->ipaddr_ =
inet_ntop(ifa->ifa_family, RTA_DATA(ifa_rta), ipaddr, sizeof(ipaddr));
net->cidr_ = ifa->ifa_prefixlen;
} else if ((net->addr_pref_ == ip_addr_pref::IPV6 ||
net->addr_pref_ == ip_addr_pref::IPV4_6) &&
net->cidr6_ == 0 && ifa->ifa_family == AF_INET6) {
net->ipaddr6_ =
inet_ntop(ifa->ifa_family, RTA_DATA(ifa_rta), ipaddr, sizeof(ipaddr));
net->cidr6_ = ifa->ifa_prefixlen;
}According to the man page of inet_ntop ipaddr is returned. This pointer goes out of scope after the switch case. It is later accessed by getNetworkState. This looks like a use after free (as a C programmer) don't know if C++ does something special there.
I sometimes had a problem with the network state being permanently in linked. This could be a possible cause, by I don't have a c++ toolchain to test this theory.