From 94fd9aed1e54e3b586615eccd09bca4adac185fc Mon Sep 17 00:00:00 2001
From: Jan Vaclav <jvaclav@redhat.com>
Date: Thu, 19 Oct 2023 14:58:10 +0200
Subject: [PATCH] libnm: fix bounds check in _get_mac_blacklist_item()

The bounds checks are incorrect, as we cannot access the array at `idx == len`.

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1767
Fixes: dfcb22133794 ('libnm-core: make _get_mac_address_blacklist() methods return arrays')
---
 src/libnm-core-impl/nm-setting-wired.c    | 9 ++++++++-
 src/libnm-core-impl/nm-setting-wireless.c | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/libnm-core-impl/nm-setting-wired.c b/src/libnm-core-impl/nm-setting-wired.c
index 31e71d663..8f56e27c8 100644
--- a/src/libnm-core-impl/nm-setting-wired.c
+++ b/src/libnm-core-impl/nm-setting-wired.c
@@ -312,6 +312,8 @@ nm_setting_wired_get_num_mac_blacklist_items(NMSettingWired *setting)
  * @setting: the #NMSettingWired
  * @idx: the zero-based index of the MAC address entry
  *
+ * Since 1.46, access at index "len" is allowed and returns NULL.
+ *
  * Returns: the blacklisted MAC address string (hex-digits-and-colons notation)
  * at index @idx
  **/
@@ -323,7 +325,12 @@ nm_setting_wired_get_mac_blacklist_item(NMSettingWired *setting, guint32 idx)
     g_return_val_if_fail(NM_IS_SETTING_WIRED(setting), NULL);
 
     priv = NM_SETTING_WIRED_GET_PRIVATE(setting);
-    g_return_val_if_fail(idx <= priv->mac_address_blacklist->len, NULL);
+
+    if (idx == priv->mac_address_blacklist->len) {
+        return NULL;
+    }
+
+    g_return_val_if_fail(idx < priv->mac_address_blacklist->len, NULL);
 
     return nm_g_array_index(priv->mac_address_blacklist, const char *, idx);
 }
diff --git a/src/libnm-core-impl/nm-setting-wireless.c b/src/libnm-core-impl/nm-setting-wireless.c
index 54bbf5e28..5effe8a74 100644
--- a/src/libnm-core-impl/nm-setting-wireless.c
+++ b/src/libnm-core-impl/nm-setting-wireless.c
@@ -497,6 +497,8 @@ nm_setting_wireless_get_num_mac_blacklist_items(NMSettingWireless *setting)
  * @setting: the #NMSettingWireless
  * @idx: the zero-based index of the MAC address entry
  *
+ * Since 1.46, access at index "len" is allowed and returns NULL.
+ *
  * Returns: the blacklisted MAC address string (hex-digits-and-colons notation)
  * at index @idx
  **/
@@ -508,7 +510,12 @@ nm_setting_wireless_get_mac_blacklist_item(NMSettingWireless *setting, guint32 i
     g_return_val_if_fail(NM_IS_SETTING_WIRELESS(setting), NULL);
 
     priv = NM_SETTING_WIRELESS_GET_PRIVATE(setting);
-    g_return_val_if_fail(idx <= priv->mac_address_blacklist->len, NULL);
+
+    if (idx == priv->mac_address_blacklist->len) {
+        return NULL;
+    }
+
+    g_return_val_if_fail(idx < priv->mac_address_blacklist->len, NULL);
 
     return nm_g_array_index(priv->mac_address_blacklist, const char *, idx);
 }