diff options
author | David Lamparter <equinox@diac24.net> | 2010-05-31 12:02:31 +0200 |
---|---|---|
committer | David Lamparter <equinox@diac24.net> | 2012-02-11 15:26:19 +0100 |
commit | 4c0cf00afc4340a429a9c4830f638b4593d7c3af (patch) | |
tree | 572ec0a416b23456d42e42b9f7c9fba4b562fd2a | |
parent | 4afa50b393ff1fb34dd577888a05b81dfdced5af (diff) |
ospf6d: fix out of bounds write in ospf6_prefix_apply_mask
ospf6_prefix_apply_mask would write one byte beyond the 4/8/12
bytes allocated for prefixes of length 32/64/96.
based on report and patch by Jon Andersson <jon.andersson@thales.no>
Reported-by: Jon Andersson <jon.andersson@thales.no>
Signed-off-by: David Lamparter <equinox@diac24.net>
-rw-r--r-- | ospf6d/ospf6_proto.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/ospf6d/ospf6_proto.c b/ospf6d/ospf6_proto.c index c792aa45..d011601f 100644 --- a/ospf6d/ospf6_proto.c +++ b/ospf6d/ospf6_proto.c @@ -42,11 +42,10 @@ ospf6_prefix_apply_mask (struct ospf6_prefix *op) return; } - if (index == 16) - return; - - pnt[index] &= mask; - index ++; + /* nonzero mask means no check for this byte because if it contains + * prefix bits it must be there for us to write */ + if (mask) + pnt[index++] &= mask; while (index < OSPF6_PREFIX_SPACE (op->prefix_length)) pnt[index++] = 0; |