lib: nrf_modem_lib: Fix possible buffer overflow

tokangas · rlubos · commit e5ad5a410aff · 2025-03-28T11:54:55.000+01:00
Fixed buffer overflow when getsockopt() is called for
SO_RCVTIMEO or SO_SNDTIMEO with a buffer which is too small
for the timeval structure.

Signed-off-by: Tommi Kangas &lt;tommi.kangas@nordicsemi.no&gt;
diff --git a/lib/nrf_modem_lib/nrf9x_sockets.c b/lib/nrf_modem_lib/nrf9x_sockets.c
@@ -564,11 +564,13 @@ static int nrf9x_socket_offload_getsockopt(void *obj, int level, int optname,
 				}
 			} else if ((optname == SO_RCVTIMEO) ||
 				(optname == SO_SNDTIMEO)) {
-				((struct timeval *)optval)->tv_sec =
-					nrf_timeo.tv_sec;
-				((struct timeval *)optval)->tv_usec =
-					nrf_timeo.tv_usec;
-				*optlen = sizeof(struct timeval);
+				struct timeval tv;
+				size_t tvlen = MIN(sizeof(struct timeval), *optlen);
+
+				tv.tv_sec = nrf_timeo.tv_sec;
+				tv.tv_usec = nrf_timeo.tv_usec;
+				memcpy(optval, &tv, tvlen);
+				*optlen = tvlen;
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -564,11 +564,13 @@ static int nrf9x_socket_offload_getsockopt(void *obj, int level, int optname,`
`564`	`564`	`}`
`565`	`565`	`} else if ((optname == SO_RCVTIMEO) \|\|`
`566`	`566`	`(optname == SO_SNDTIMEO)) {`
`567`		`- ((struct timeval *)optval)->tv_sec =`
`568`		`- nrf_timeo.tv_sec;`
`569`		`- ((struct timeval *)optval)->tv_usec =`
`570`		`- nrf_timeo.tv_usec;`
`571`		`- *optlen = sizeof(struct timeval);`
	`567`	`+ struct timeval tv;`
	`568`	`+ size_t tvlen = MIN(sizeof(struct timeval), *optlen);`
	`569`	`+`
	`570`	`+ tv.tv_sec = nrf_timeo.tv_sec;`
	`571`	`+ tv.tv_usec = nrf_timeo.tv_usec;`
	`572`	`+ memcpy(optval, &tv, tvlen);`
	`573`	`+ *optlen = tvlen;`
`572`	`574`	`}`
`573`	`575`	`}`
`574`	`576`	`}`