Skip to content

Fix memory overwrites in SystemNative_GetNetworkInterfaces#125022

Open
gwr wants to merge 1 commit intodotnet:mainfrom
gwr:bug-getif
Open

Fix memory overwrites in SystemNative_GetNetworkInterfaces#125022
gwr wants to merge 1 commit intodotnet:mainfrom
gwr:bug-getif

Conversation

@gwr
Copy link
Contributor

@gwr gwr commented Mar 1, 2026

Not only Android might see count = ip4count + ip6count, which would lead to overwriting the NetworkInterfaceInfo this is meant to return.

Something I discovered while working on #124728

Copilot AI review requested due to automatic review settings March 1, 2026 03:03
@dotnet-policy-service dotnet-policy-service bot added the community-contribution Indicates that the PR has been added by a community member label Mar 1, 2026
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Mar 1, 2026

Tagging subscribers to this area: @karelz, @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

gwr
gwr commented Mar 1, 2026
View reviewed changes
Copilot AI reviewed Mar 1, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a potential buffer overlap in SystemNative_GetNetworkInterfaces by ensuring the native allocation always reserves space for both the returned NetworkInterfaceInfo array and the IpAddressInfo array, even when getifaddrs returns only IPv4/IPv6 entries (so count == ip4count + ip6count).

Changes:

  • Make the allocation size always account for count + ip4count + ip6count entries to prevent overwriting the interface array.
  • Set addressList to start immediately after NetworkInterfaceInfo[count] (instead of a computed offset that can become 0).
  • Remove the Android-only conditional sizing logic and replace it with a platform-agnostic approach.

Copilot AI review requested due to automatic review settings March 1, 2026 03:15
Copilot AI reviewed Mar 1, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

src/native/libs/System.Native/pal_interfaceaddresses.c:365

  • On allocation failure, the getifaddrs() result in head is not freed before returning. This leaks the ifaddrs list in the OOM path; please call freeifaddrs(head) before setting errno/returning (and keep head valid for that call).
    void * memoryBlock = calloc((size_t)entriesCount, sizeof(NetworkInterfaceInfo));
    if (memoryBlock == NULL)
    {
        errno = ENOMEM;
        return -1;
    }

This was referenced Mar 1, 2026
Open
Open
Open
Open
Open
Closed
Copilot AI review requested due to automatic review settings March 1, 2026 15:35
@gwr
Copy link
Contributor Author

gwr commented Mar 1, 2026

Fixed the assert, squash.

Copilot AI reviewed Mar 1, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

@gwr
Fix memory overwrites in SystemNative_GetNetworkInterfaces
f94674d 
Not only Android might see count = ip4count + ip6count,
which would lead to overwriting the NetworkInterfaceInfo
this is meant to return.

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@gwr
Copy link
Contributor Author

gwr commented Mar 1, 2026

An earlier version didn't build. Someone please "kick" the CI stuff to run again.

@teo-tsirpanis teo-tsirpanis reopened this Mar 2, 2026
@rzikm rzikm requested a review from a team March 2, 2026 08:08
@gwr gwr mentioned this pull request Mar 3, 2026
Draft
gwr added a commit to gwr/dotnet-runtime that referenced this pull request Mar 3, 2026
@gwr
Undo work-around for dotnet#125022
b96183e
wfurt
wfurt reviewed Mar 4, 2026
View reviewed changes
src/native/libs/System.Native/pal_interfaceaddresses.c
// Make no assumptions about how many ip4count + ip6count there may be.
// This does assume sizeof(NetworkInterfaceInfo) >= sizeof(IpAddressInfo)
// which is checked in an assert above this function.

int entriesCount = count + ip4count + ip6count;
Copy link
Member

@wfurt wfurt Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This part is curious. The count is number of entries returned by getifaddrs. It does not seem like single entry would have more addresses so I'm wondering how we would get more than count addresses @gwr

Copy link
Contributor Author

@gwr gwr Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the failure happens where (in my example) we have two interfaces and three addresses.
I've attached a test program I used to demonstrate and debug, along with it's output.
test-getif.cs
test-getif-out.txt

Where the non-Android path was starting writing addresses at (entriesCount - ip4count - ip6count) that would overwrite the first interface (NetworkInterfaceInfo*) that was already written to the combined output buffer. I could recreate and show you a gdb log if you like.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wfurt wfurt wfurt left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area-System.Net community-contribution Indicates that the PR has been added by a community member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gwr @wfurt @teo-tsirpanis