ospf6d: fix out of bounds write in ospf6_prefix_apply_mask

ospf6_prefix_apply_mask would write one byte beyond the 4/8/12 bytes allocated for prefixes of length 32/64/96. based on report and patch by Jon Andersson <[email protected]> Reported-by: Jon Andersson <[email protected]> Signed-off-by: David Lamparter <[email protected]>
vipinj · Feb 11, 2012 · 4c0cf00 · 4c0cf00
1 parent 4afa50b
commit 4c0cf00
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/ospf6d/ospf6_proto.c b/ospf6d/ospf6_proto.c
@@ -42,11 +42,10 @@ ospf6_prefix_apply_mask (struct ospf6_prefix *op)
       return;
     }
 
-  if (index == 16)
-    return;
-
-  pnt[index] &= mask;
-  index ++;
+  /* nonzero mask means no check for this byte because if it contains
+   * prefix bits it must be there for us to write */
+  if (mask)
+    pnt[index++] &= mask;
 
   while (index < OSPF6_PREFIX_SPACE (op->prefix_length))
     pnt[index++] = 0;