From 4c273d643739e0c82456aaecf6937b3da2b32d15 Mon Sep 17 00:00:00 2001
From: Pau Espin Pedrol <pespin@sysmocom.de>
Date: Mon, 13 Jan 2020 12:58:30 +0100
Subject: ss7: Improve checks in osmo_ss7_asp_peer_add_host()

* Introduce check to make sure we don't write out of peer->host bounds.
* Clean up any/specific address checks, it should be more clear now.

Change-Id: I3ecb94267acbec6ecf2134b08110f24f131cd8cf
---
 src/osmo_ss7.c | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/src/osmo_ss7.c b/src/osmo_ss7.c
index 70ec847..b7d69cb 100644
--- a/src/osmo_ss7.c
+++ b/src/osmo_ss7.c
@@ -1149,19 +1149,25 @@ int osmo_ss7_asp_peer_add_host(struct osmo_ss7_asp_peer *peer, void *talloc_ctx,
 	bool new_is_any = !host || !strcmp(host, "0.0.0.0");
 	bool iter_is_any;
 
-	/* Makes no sense to have INET_ANY and specific addresses in the set */
-	for (i = 0; i < peer->host_cnt; i++) {
-			iter_is_any = !peer->host[i] ||
-				      !strcmp(peer->host[i], "0.0.0.0");
-			if (new_is_any && iter_is_any)
-				return -EINVAL;
-			if (!new_is_any && iter_is_any)
-				return -EINVAL;
-	}
-	/* Makes no sense to have INET_ANY many times */
-	if (new_is_any && peer->host_cnt)
+	if (peer->host_cnt >= ARRAY_SIZE(peer->host))
+		return -EINVAL;
+
+	/* Makes no sense to have INET_ANY many times, or INET_ANY together with
+	   specific addresses: */
+	if (new_is_any && peer->host_cnt != 0)
 		return -EINVAL;
 
+	/* Makes no sense to add specific address to set if INET_ANY is
+	   already set: */
+	if (!new_is_any) {
+		for (i = 0; i < peer->host_cnt; i++) {
+				iter_is_any = !peer->host[i] ||
+					      !strcmp(peer->host[i], "0.0.0.0");
+				if (iter_is_any)
+					return -EINVAL;
+		}
+	}
+
 	osmo_talloc_replace_string(talloc_ctx, &peer->host[peer->host_cnt], host);
 	peer->host_cnt++;
 	return 0;
-- 
cgit v1.2.3