From 4d966a3779f99aec39f5cb645351939717e34499 Mon Sep 17 00:00:00 2001
From: Jaehyun Kim <jeik01.kim@samsung.com>
Date: Wed, 8 Jan 2025 17:51:48 +0900
Subject: [PATCH] Fix stack OOB Write Vulnerability in vpn_service_init

An Out of Bounds Write vulnerability was discovered and fixed
in the vpn_service_init function of net-config,
which could be used to access the stack array without validation
by using a user-provided index,
thereby setting a value(0x00) in an out-of-bounds location.

Change-Id: I6140d21a7601efe4dad96b63a35385399993fd49
Signed-off-by: Jaehyun Kim <jeik01.kim@samsung.com>
---
 src/vpnsvc-internal.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/vpnsvc-internal.c b/src/vpnsvc-internal.c
index 0c71d45..57ffeaa 100755
--- a/src/vpnsvc-internal.c
+++ b/src/vpnsvc-internal.c
@@ -770,6 +770,12 @@ int vpn_service_init(const char* iface_name, size_t iface_name_len, int fd, vpns
 
 	ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
 
+	if (iface_name_len >= IFNAMSIZ) {
+		ERR("iface_name_len is too long: %zd", iface_name_len);
+		close(fd);
+		return VPNSVC_ERROR_INVALID_PARAMETER;
+	}
+
 	if (*iface_name)
 		strncpy(ifr.ifr_name, iface_name, iface_name_len);
 	ifr.ifr_name[iface_name_len] = '\0';
-- 
2.34.1