[PATCH 1/2] ip-pool: Make host address valid even if prefix_len != 24

[PATCH 1/2] ip-pool: Make host address valid even if prefix_len != 24

[Andrew Zaborowski]

[-- Attachment #1: Type: text/plain, Size: 768 bytes --]

At the end of ip_pool_select_addr4() we'd check if the selected address
is equal to the subnet address and increment it by 1 to produce a valid
host address for the AP.  That check was always correct only with 24-bit
prefix, extend it to actually use the prefix-dependent mask instead of
0xff.  Fixes a testAP failure triggered 50% of the times because the
netmask is 28 bit long there.
---
 src/ip-pool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ip-pool.c b/src/ip-pool.c
index 42c96bb4..e3f02d5e 100644
--- a/src/ip-pool.c
+++ b/src/ip-pool.c
@@ -236,7 +236,7 @@ check_avail:
 		selected -= count;
 	}
 
-	if ((host_addr & 0xff) == 0)
+	if ((host_addr & host_mask) == 0)
 		host_addr += 1;
 
 done:
-- 
2.30.2

[PATCH 2/2] ip-pool: Validate prefix lengths in used addresses

[Andrew Zaborowski]

[-- Attachment #1: Type: text/plain, Size: 2369 bytes --]

Be paranoid and check that the prefix length in addresses from
used_addr4_list are not zero (they shouldn't be) and that address family
is AF_INET (it should be), mainly to quiet coverity warnings:

>>>     CID 370881:  Integer handling issues  (BAD_SHIFT)
>>>     In expression "1 << 32 - l_rtnl_address_get_prefix_length(rec->addr)", left shifting by more than 31 bits has undefined behavior.  The shift amount, "32 - l_rtnl_address_get_prefix_length(rec->addr)", is 32.
151              uint32_t used_subnet_size = 1 <<
152                      (32 - l_rtnl_address_get_prefix_length(rec->addr));

>>>     CID 370878:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "addr_str" of 16 bytes by passing it to a function which accesses it at byte offset 45.
154              if (!l_rtnl_address_get_address(rec->addr, addr_str) ||

While there also fix one line's indentation.
---
 src/ip-pool.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/ip-pool.c b/src/ip-pool.c
index e3f02d5e..fc0bf6d7 100644
--- a/src/ip-pool.c
+++ b/src/ip-pool.c
@@ -148,13 +148,19 @@ int ip_pool_select_addr4(const char **addr_str_list, uint8_t subnet_prefix_len,
 		const struct ip_pool_addr4_record *rec = entry->data;
 		struct ip_pool_addr4_range *range;
 		char addr_str[INET_ADDRSTRLEN];
-		uint32_t used_subnet_size = 1 <<
-			(32 - l_rtnl_address_get_prefix_length(rec->addr));
-
-		if (!l_rtnl_address_get_address(rec->addr, addr_str) ||
+		uint8_t used_prefix_len =
+			l_rtnl_address_get_prefix_length(rec->addr);
+		uint32_t used_subnet_size;
+
+		if (l_rtnl_address_get_family(rec->addr) != AF_INET ||
+				!l_rtnl_address_get_address(rec->addr,
+								addr_str) ||
+				used_prefix_len < 1 ||
 				inet_pton(AF_INET, addr_str, &ia) != 1)
 			continue;
 
+		used_subnet_size = 1 << (32 - used_prefix_len);
+
 		range = l_new(struct ip_pool_addr4_range, 1);
 		range->start = ntohl(ia.s_addr) & subnet_mask;
 		range->end = (range->start + used_subnet_size + subnet_size -
@@ -215,7 +221,7 @@ check_avail:
 	for (entry = l_queue_get_entries(ranges); entry; entry = entry->next) {
 		struct ip_pool_addr4_range *range = entry->data;
 
-	total += (range->end - range->start) >>
+		total += (range->end - range->start) >>
 			(32 - subnet_prefix_len);
 	}
 
-- 
2.30.2