summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Lamparter <equinox@diac24.net>2010-05-31 12:02:31 +0200
committerDavid Lamparter <equinox@diac24.net>2012-02-11 15:26:19 +0100
commit4c0cf00afc4340a429a9c4830f638b4593d7c3af (patch)
tree572ec0a416b23456d42e42b9f7c9fba4b562fd2a
parent4afa50b393ff1fb34dd577888a05b81dfdced5af (diff)
ospf6d: fix out of bounds write in ospf6_prefix_apply_mask
ospf6_prefix_apply_mask would write one byte beyond the 4/8/12 bytes allocated for prefixes of length 32/64/96. based on report and patch by Jon Andersson <jon.andersson@thales.no> Reported-by: Jon Andersson <jon.andersson@thales.no> Signed-off-by: David Lamparter <equinox@diac24.net>
-rw-r--r--ospf6d/ospf6_proto.c9
1 files changed, 4 insertions, 5 deletions
diff --git a/ospf6d/ospf6_proto.c b/ospf6d/ospf6_proto.c
index c792aa45..d011601f 100644
--- a/ospf6d/ospf6_proto.c
+++ b/ospf6d/ospf6_proto.c
@@ -42,11 +42,10 @@ ospf6_prefix_apply_mask (struct ospf6_prefix *op)
return;
}
- if (index == 16)
- return;
-
- pnt[index] &= mask;
- index ++;
+ /* nonzero mask means no check for this byte because if it contains
+ * prefix bits it must be there for us to write */
+ if (mask)
+ pnt[index++] &= mask;
while (index < OSPF6_PREFIX_SPACE (op->prefix_length))
pnt[index++] = 0;