diff options
author | Dan Williams <dcbw@redhat.com> | 2013-12-03 14:12:55 -0600 |
---|---|---|
committer | Dan Williams <dcbw@redhat.com> | 2013-12-03 14:25:08 -0600 |
commit | 6e73f01b6e69f44f8d9da4872fb796b9d80acac1 (patch) | |
tree | 071c691fd3a6a5d0e8dc88096d07e2edb8fcc582 | |
parent | 7eb12a5b21f87d7592ec2c5235d1ed90c4fac132 (diff) | |
download | NetworkManager-6e73f01b6e69f44f8d9da4872fb796b9d80acac1.tar.gz |
platform: fix possible out-of-bounds access with RA route masking
If the prefix length was 128, that could cause an access beyond the
end of the array. Found by Thomas Haller.
-rw-r--r-- | src/rdisc/nm-lndp-rdisc.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/rdisc/nm-lndp-rdisc.c b/src/rdisc/nm-lndp-rdisc.c index abcc3c2d01..3299b32aab 100644 --- a/src/rdisc/nm-lndp-rdisc.c +++ b/src/rdisc/nm-lndp-rdisc.c @@ -415,9 +415,13 @@ set_address_masked (struct in6_addr *dst, struct in6_addr *src, guint8 plen) g_assert (src); g_assert (dst); - memset (dst, 0, sizeof (*dst)); - memcpy (dst, src, nbytes); - dst->s6_addr[nbytes] = (src->s6_addr[nbytes] & (0xFF << (8 - nbits))); + if (plen >= 128) + *dst = *src; + else { + memset (dst, 0, sizeof (*dst)); + memcpy (dst, src, nbytes); + dst->s6_addr[nbytes] = (src->s6_addr[nbytes] & (0xFF << (8 - nbits))); + } } static int |