ospf6d: don't access nexthops out of bounds
Given that the && is evaluated lazily from left to right,
i < OSPF6_MULTI_PATH_LIMIT should be checked prior to calling
ospf6_nexthop_is_set on the array element, not the other way around.
Signed-off-by: Christian Franke <chris@opensourcerouting.org>
Signed-off-by: Christian Franke <chris@opensourcerouting.org>
Acked-by: Donald Sharp <sharpd@cumulusnetworks.com>
diff --git a/ospf6d/ospf6_spf.c b/ospf6d/ospf6_spf.c
index ab18d38..ebb38b6 100644
--- a/ospf6d/ospf6_spf.c
+++ b/ospf6d/ospf6_spf.c
@@ -307,8 +307,8 @@
if (IS_OSPF6_DEBUG_SPF (PROCESS))
zlog_debug (" another path found, merge");
- for (i = 0; ospf6_nexthop_is_set (&v->nexthop[i]) &&
- i < OSPF6_MULTI_PATH_LIMIT; i++)
+ for (i = 0; i < OSPF6_MULTI_PATH_LIMIT &&
+ ospf6_nexthop_is_set (&v->nexthop[i]); i++)
{
for (j = 0; j < OSPF6_MULTI_PATH_LIMIT; j++)
{
@@ -356,8 +356,8 @@
route->path.options[1] = v->options[1];
route->path.options[2] = v->options[2];
- for (i = 0; ospf6_nexthop_is_set (&v->nexthop[i]) &&
- i < OSPF6_MULTI_PATH_LIMIT; i++)
+ for (i = 0; i < OSPF6_MULTI_PATH_LIMIT &&
+ ospf6_nexthop_is_set (&v->nexthop[i]); i++)
ospf6_nexthop_copy (&route->nexthop[i], &v->nexthop[i]);
if (v->parent)
@@ -500,8 +500,8 @@
ospf6_nexthop_calc (w, v, lsdesc);
else
{
- for (i = 0; ospf6_nexthop_is_set (&v->nexthop[i]) &&
- i < OSPF6_MULTI_PATH_LIMIT; i++)
+ for (i = 0; i < OSPF6_MULTI_PATH_LIMIT &&
+ ospf6_nexthop_is_set (&v->nexthop[i]); i++)
ospf6_nexthop_copy (&w->nexthop[i], &v->nexthop[i]);
}