From 68f2278d84fe560123c2ec34275380ed1086b706 Mon Sep 17 00:00:00 2001 Message-ID: <68f2278d84fe560123c2ec34275380ed1086b706.1713796876.git.jdenemar@redhat.com> From: Martin Kletzander Date: Tue, 27 Feb 2024 16:20:12 +0100 Subject: [PATCH] Fix off-by-one error in udevListInterfacesByStatus MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ever since this function was introduced in 2012 it could've tried filling in an extra interface name. That was made worse in 2019 when the caller functions started accepting NULL arrays of size 0. This is assigned CVE-2024-1441. Signed-off-by: Martin Kletzander Reported-by: Alexander Kuznetsov Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15 Reviewed-by: Ján Tomko (cherry picked from commit c664015fe3a7bf59db26686e9ed69af011c6ebb8) Conflicts: - NEWS.rst: Removed the hunk Resolves: https://issues.redhat.com/browse/RHEL-25081 Signed-off-by: Martin Kletzander --- src/interface/interface_backend_udev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c index fb6799ed94..4091483060 100644 --- a/src/interface/interface_backend_udev.c +++ b/src/interface/interface_backend_udev.c @@ -222,7 +222,7 @@ udevListInterfacesByStatus(virConnectPtr conn, g_autoptr(virInterfaceDef) def = NULL; /* Ensure we won't exceed the size of our array */ - if (count > names_len) + if (count >= names_len) break; path = udev_list_entry_get_name(dev_entry); -- 2.44.0