lib: nrf_modem: Clear the address structure on recvfrom

rlubos · rlubos · commit 9f2189ac9984 · 2022-01-21T12:47:08.000+01:00
Always zero the sender address structure before passing it to
`nrf_recvfrom()` and only use it when the function is successful.

This fixes a bug where the offloading code would peek into a
uninitialized structure and perform an out of bounds memory copy,
which could have happened when the application was compiled
without IPv6 support and:
- the socket protocol did not provide a sender address (DTLS) or
- the recvfrom() call failed, leaving the structure untouched

Signed-off-by: Robert Lubos &lt;robert.lubos@nordicsemi.no&gt;
Signed-off-by: Emanuele Di Santo &lt;emdi@nordicsemi.no&gt;
Signed-off-by: Divya Pillai &lt;divya.pillai@nordicsemi.no&gt;
diff --git a/doc/nrf/releases/release-notes-changelog.rst b/doc/nrf/releases/release-notes-changelog.rst
@@ -211,6 +211,10 @@ Libraries for networking
 Modem libraries
 ---------------
 
+* :ref:`nrf_modem_lib_readme` library:
+
+  * Fixed a bug in the socket offloading component, where the :c:func:`recvfrom` wrapper could do an out-of-bounds copy of the sender's address, when the application is compiled without IPv6 support. In some cases, the out of bounds copy could indefinitely block the :c:func:`send` and other socket API calls.
+
 * :ref:`at_monitor_readme` library:
 
   * Introduced AT_MONITOR_ISR macro to monitor AT notifications in an interrupt service routine.
diff --git a/lib/nrf_modem_lib/nrf91_sockets.c b/lib/nrf_modem_lib/nrf91_sockets.c
@@ -850,12 +850,16 @@ static ssize_t nrf91_socket_offload_recvfrom(void *obj, void *buf, size_t len,
 				      NULL, NULL);
 	} else {
 		/* Allocate space for maximum of IPv4 and IPv6 family type. */
-		struct nrf_sockaddr_in6 cliaddr_storage;
+		struct nrf_sockaddr_in6 cliaddr_storage = { 0 };
 		nrf_socklen_t sock_len = sizeof(struct nrf_sockaddr_in6);
 		struct nrf_sockaddr *cliaddr = (struct nrf_sockaddr *)&cliaddr_storage;
 
 		retval = nrf_recvfrom(ctx->nrf_fd, buf, len, z_to_nrf_flags(flags),
 				      cliaddr, &sock_len);
+		if (retval < 0) {
+			goto exit;
+		}
+
 		if (cliaddr->sa_family == NRF_AF_INET) {
 			nrf_to_z_ipv4(from, (struct nrf_sockaddr_in *)cliaddr);
 			*fromlen = sizeof(struct sockaddr_in);
@@ -866,6 +870,7 @@ static ssize_t nrf91_socket_offload_recvfrom(void *obj, void *buf, size_t len,
 		}
 	}
 
+exit:
 	k_mutex_lock(ctx->lock, K_FOREVER);
 
 	return retval;
