From 4c0cf00afc4340a429a9c4830f638b4593d7c3af Mon Sep 17 00:00:00 2001
From: David Lamparter <equinox@diac24.net>
Date: Mon, 31 May 2010 12:02:31 +0200
Subject: ospf6d: fix out of bounds write in ospf6_prefix_apply_mask

ospf6_prefix_apply_mask would write one byte beyond the 4/8/12
bytes allocated for prefixes of length 32/64/96.

based on report and patch by Jon Andersson <jon.andersson@thales.no>

Reported-by: Jon Andersson <jon.andersson@thales.no>
Signed-off-by: David Lamparter <equinox@diac24.net>
---
 ospf6d/ospf6_proto.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'ospf6d')

diff --git a/ospf6d/ospf6_proto.c b/ospf6d/ospf6_proto.c
index c792aa45..d011601f 100644
--- a/ospf6d/ospf6_proto.c
+++ b/ospf6d/ospf6_proto.c
@@ -42,11 +42,10 @@ ospf6_prefix_apply_mask (struct ospf6_prefix *op)
       return;
     }
 
-  if (index == 16)
-    return;
-
-  pnt[index] &= mask;
-  index ++;
+  /* nonzero mask means no check for this byte because if it contains
+   * prefix bits it must be there for us to write */
+  if (mask)
+    pnt[index++] &= mask;
 
   while (index < OSPF6_PREFIX_SPACE (op->prefix_length))
     pnt[index++] = 0;
-- 
cgit v1.2.1