Browse Source

ospf6d: fix out of bounds write in ospf6_prefix_apply_mask

ospf6_prefix_apply_mask would write one byte beyond the 4/8/12
bytes allocated for prefixes of length 32/64/96.

based on report and patch by Jon Andersson <jon.andersson@thales.no>

Reported-by: Jon Andersson <jon.andersson@thales.no>
Signed-off-by: David Lamparter <equinox@diac24.net>
David Lamparter 9 years ago
parent
commit
4c0cf00afc
1 changed files with 4 additions and 5 deletions
  1. 4 5
      ospf6d/ospf6_proto.c

+ 4 - 5
ospf6d/ospf6_proto.c

@@ -42,11 +42,10 @@ ospf6_prefix_apply_mask (struct ospf6_prefix *op)
       return;
     }
 
-  if (index == 16)
-    return;
-
-  pnt[index] &= mask;
-  index ++;
+  /* nonzero mask means no check for this byte because if it contains
+   * prefix bits it must be there for us to write */
+  if (mask)
+    pnt[index++] &= mask;
 
   while (index < OSPF6_PREFIX_SPACE (op->prefix_length))
     pnt[index++] = 0;