From f61a56e25f2b2854cbd9551b48b7461f5c0c6ee7 Mon Sep 17 00:00:00 2001 From: Beniamino Galvani Date: Tue, 10 Sep 2024 09:02:15 +0200 Subject: [PATCH] core: fix access to uninitialized memory in NMIPConfig The string array returned by nm_l3_config_data_get_searches() is not NULL-terminated; we need to pass the exact length to nm_utils_buf_utf8safe_escape_strv() instead of letting the function scan for the NULL terminator. Fix the following error reported by valgrind: Conditional jump or move depends on uninitialised value(s) at 0x4B287DB: g_strv_length (gstrfuncs.c:2948) by 0x6EBDBE: nm_utils_buf_utf8safe_escape_strv (nm-shared-utils.c:3047) by 0x59A3F1: get_property_ip (nm-ip-config.c:198) by 0x4A6E150: UnknownInlinedFun (gobject.c:2140) by 0x4A6E150: g_object_get_property (gobject.c:3454) by 0x56FB1A: nm_dbus_utils_get_property (nm-dbus-utils.c:95) by 0x44B343: _obj_get_property (nm-dbus-manager.c:880) by 0x44DC4F: _nm_dbus_manager_obj_notify (nm-dbus-manager.c:1201) by 0x56EE77: dispatch_properties_changed (nm-dbus-object.c:253) by 0x4A5BF1E: g_object_notify_queue_thaw.lto_priv.0 (gobject.c:755) by 0x5997BD: _handle_l3cd_changed (nm-ip-config.c:837) by 0x59A129: _l3cfg_notify_cb (nm-ip-config.c:147) by 0x4A5B649: g_closure_invoke (gclosure.c:834) Fixes: 522a7d6bafcf ('nm-ip-config: escape searches when exposing to dbus') --- src/core/nm-ip-config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/nm-ip-config.c b/src/core/nm-ip-config.c index 663e839e4..c9d9633b5 100644 --- a/src/core/nm-ip-config.c +++ b/src/core/nm-ip-config.c @@ -197,7 +197,7 @@ get_property_ip(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec if (strv) { strv = nm_utils_buf_utf8safe_escape_strv( strv, - -1, + len, NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_CTRL | NM_UTILS_STR_UTF8_SAFE_FLAG_ESCAPE_NON_ASCII, &to_free);