ospf6d: fix out of bounds write in ospf6_prefix_apply_mask ospf6_prefix_apply_mask would write one byte beyond the 4/8/12 bytes allocated for prefixes of length 32/64/96. based on report and patch by Jon Andersson <jon.andersson@thales.no> Reported-by: Jon Andersson <jon.andersson@thales.no> Signed-off-by: David Lamparter <equinox@diac24.net>

commit: 4c0cf00afc4340a429a9c4830f638b4593d7c3af [log] [tgz]
author: David Lamparter <equinox@diac24.net> Mon May 31 12:02:31 2010 +0200
committer: David Lamparter <equinox@diac24.net> Sat Feb 11 15:26:19 2012 +0100
tree: 572ec0a416b23456d42e42b9f7c9fba4b562fd2a
parent: 4afa50b393ff1fb34dd577888a05b81dfdced5af [diff] [blame]
diff --git a/ospf6d/ospf6_proto.c b/ospf6d/ospf6_proto.c
index c792aa4..d011601 100644
--- a/ospf6d/ospf6_proto.c
+++ b/ospf6d/ospf6_proto.c

@@ -42,11 +42,10 @@
       return;
     }
 
-  if (index == 16)
-    return;
-
-  pnt[index] &= mask;
-  index ++;
+  /* nonzero mask means no check for this byte because if it contains
+   * prefix bits it must be there for us to write */
+  if (mask)
+    pnt[index++] &= mask;
 
   while (index < OSPF6_PREFIX_SPACE (op->prefix_length))
     pnt[index++] = 0;
commit	4c0cf00afc4340a429a9c4830f638b4593d7c3af	[log] [tgz]
author	David Lamparter <equinox@diac24.net>	Mon May 31 12:02:31 2010 +0200
committer	David Lamparter <equinox@diac24.net>	Sat Feb 11 15:26:19 2012 +0100
tree	572ec0a416b23456d42e42b9f7c9fba4b562fd2a
parent	4afa50b393ff1fb34dd577888a05b81dfdced5af [diff] [blame]