From 6e73f01b6e69f44f8d9da4872fb796b9d80acac1 Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Tue, 3 Dec 2013 14:12:55 -0600 Subject: [PATCH] platform: fix possible out-of-bounds access with RA route masking If the prefix length was 128, that could cause an access beyond the end of the array. Found by Thomas Haller. --- src/rdisc/nm-lndp-rdisc.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/rdisc/nm-lndp-rdisc.c b/src/rdisc/nm-lndp-rdisc.c index abcc3c2d0..3299b32aa 100644 --- a/src/rdisc/nm-lndp-rdisc.c +++ b/src/rdisc/nm-lndp-rdisc.c @@ -415,9 +415,13 @@ set_address_masked (struct in6_addr *dst, struct in6_addr *src, guint8 plen) g_assert (src); g_assert (dst); - memset (dst, 0, sizeof (*dst)); - memcpy (dst, src, nbytes); - dst->s6_addr[nbytes] = (src->s6_addr[nbytes] & (0xFF << (8 - nbits))); + if (plen >= 128) + *dst = *src; + else { + memset (dst, 0, sizeof (*dst)); + memcpy (dst, src, nbytes); + dst->s6_addr[nbytes] = (src->s6_addr[nbytes] & (0xFF << (8 - nbits))); + } } static int