From 6c4bd5c5efea168a63ddb150cee1d0755a19c980 Mon Sep 17 00:00:00 2001
From: Nathan Hartman <59230071+hartmannathan@users.noreply.github.com>
Date: Thu, 15 Sep 2022 10:57:51 -0400
Subject: [PATCH] net: Fix memcpy() size used by SIOCSIFHWADDR for radios

* net/netdev/netdev_ioctl.c:
  (netdev_ifr_ioctl): The ioctl SIOCSIFHWADDR sets the hardware address
   (e.g., Ethernet MAC, etc.) of a network interface. Radio devices may
   have different lengths of hardware addresses, such as
   NET_6LOWPAN_EADDRSIZE (8), NET_6LOWPAN_SADDRSIZE (2), or
   RADIO_MAX_ADDRLEN (8). Also, Kconfig CONFIG_PKTRADIO_ADDRLEN allows
   the user to set any arbitrary size. Note that while the sister ioctl
   SIOCGIFHWADDR "get hardware address" copies
   `dev->d_mac.radio.nv_addrlen` bytes, SIOCSIFHWADDR was copying
   NET_6LOWPAN_ADDRSIZE bytes unconditionally. Depending on which radio
   is used, this could be incorrect. Fixing it to use
   `dev->d_mac.radio.nv_addrlen` for SIOCSIFHWADDR as well. Also adding
   DEBUGASSERT to ensure this is within bounds of source and
   destination of the copy.
---
 net/netdev/netdev_ioctl.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/netdev/netdev_ioctl.c b/net/netdev/netdev_ioctl.c
index ed9ecf6645..a6facbe41f 100644
--- a/net/netdev/netdev_ioctl.c
+++ b/net/netdev/netdev_ioctl.c
@@ -950,8 +950,14 @@ static int netdev_ifr_ioctl(FAR struct socket *psock, int cmd,
             if (ret >= 0)
               {
                 dev->d_mac.radio.nv_addrlen = properties.sp_addrlen;
+
+                DEBUGASSERT(dev->d_mac.radio.nv_addrlen <=
+                            sizeof(dev->d_mac.radio.nv_addr));
+                DEBUGASSERT(dev->d_mac.radio.nv_addrlen <=
+                            sizeof(req->ifr_hwaddr.sa_data));
+
                 memcpy(dev->d_mac.radio.nv_addr,
-                       req->ifr_hwaddr.sa_data, NET_6LOWPAN_ADDRSIZE);
+                       req->ifr_hwaddr.sa_data, dev->d_mac.radio.nv_addrlen);
               }
           }
         else