platform: fix possible out-of-bounds access with RA route masking

If the prefix length was 128, that could cause an access beyond the end of the array. Found by Thomas Haller.
author: Dan Williams <dcbw@redhat.com> 2013-12-03 14:12:55 -0600
committer: Dan Williams <dcbw@redhat.com> 2013-12-03 14:25:08 -0600
commit: 6e73f01b6e69f44f8d9da4872fb796b9d80acac1 (patch)
tree: 071c691fd3a6a5d0e8dc88096d07e2edb8fcc582
parent: 7eb12a5b21f87d7592ec2c5235d1ed90c4fac132 (diff)
download: NetworkManager-6e73f01b6e69f44f8d9da4872fb796b9d80acac1.tar.gz
1 files changed, 7 insertions, 3 deletions
diff --git a/src/rdisc/nm-lndp-rdisc.c b/src/rdisc/nm-lndp-rdisc.c
index abcc3c2d01..3299b32aab 100644
--- a/src/rdisc/nm-lndp-rdisc.c
+++ b/src/rdisc/nm-lndp-rdisc.c
@@ -415,9 +415,13 @@ set_address_masked (struct in6_addr *dst, struct in6_addr *src, guint8 plen)
 	g_assert (src);
 	g_assert (dst);
 
-	memset (dst, 0, sizeof (*dst));
-	memcpy (dst, src, nbytes);
-	dst->s6_addr[nbytes] = (src->s6_addr[nbytes] & (0xFF << (8 - nbits)));
+	if (plen >= 128)
+		*dst = *src;
+	else {
+		memset (dst, 0, sizeof (*dst));
+		memcpy (dst, src, nbytes);
+		dst->s6_addr[nbytes] = (src->s6_addr[nbytes] & (0xFF << (8 - nbits)));
+	}
 }
 
 static int
author	Dan Williams <dcbw@redhat.com>	2013-12-03 14:12:55 -0600
committer	Dan Williams <dcbw@redhat.com>	2013-12-03 14:25:08 -0600
commit	6e73f01b6e69f44f8d9da4872fb796b9d80acac1 (patch)
tree	071c691fd3a6a5d0e8dc88096d07e2edb8fcc582
parent	7eb12a5b21f87d7592ec2c5235d1ed90c4fac132 (diff)
download	NetworkManager-6e73f01b6e69f44f8d9da4872fb796b9d80acac1.tar.gz