From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 16 Mar 2022 10:45:49 +0000 (+0100)
Subject: traffic-selector: Avoid out-of-bound array access when calculating range
X-Git-Url: http://git.ipfire.org/?p=people%2Fms%2Fstrongswan.git;a=commitdiff_plain

traffic-selector: Avoid out-of-bound array access when calculating range

This happens for `/0` subnet masks.  In practice, it's not an issue because
if `bytes` is 0, then so are `netbits`, `bits` and `mask`.  So the two
incorrectly addressed array elements are not actually modified.  The first
operation is a `&= 0xff` and the second a `|= 0`, so nothing changes.
But some tools might not consider the values and report this as undefined
behavior, which it technically is.
---

diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index cfd2b029d..2735a5cc1 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -109,8 +109,12 @@ static void calc_range(private_traffic_selector_t *this, uint8_t netbits)
 	memcpy(this->to, this->from, bytes);
 	memset(this->from + bytes, 0x00, len - bytes);
 	memset(this->to   + bytes, 0xff, len - bytes);
-	this->from[bytes-1] &= ~mask;
-	this->to[bytes-1]   |=  mask;
+
+	if (bytes)
+	{
+		this->from[bytes-1] &= ~mask;
+		this->to[bytes-1]   |=  mask;
+	}
 }
 
 /**