ospf6d: fix out of bounds write in ospf6_prefix_apply_mask

ospf6_prefix_apply_mask would write one byte beyond the 4/8/12
bytes allocated for prefixes of length 32/64/96.

based on report and patch by Jon Andersson <jon.andersson@thales.no>

Reported-by: Jon Andersson <jon.andersson@thales.no>
Signed-off-by: David Lamparter <equinox@diac24.net>
This commit is contained in:
David Lamparter 2010-05-31 12:02:31 +02:00
parent 4afa50b393
commit 4c0cf00afc

View File

@ -42,11 +42,10 @@ ospf6_prefix_apply_mask (struct ospf6_prefix *op)
return;
}
if (index == 16)
return;
pnt[index] &= mask;
index ++;
/* nonzero mask means no check for this byte because if it contains
* prefix bits it must be there for us to write */
if (mask)
pnt[index++] &= mask;
while (index < OSPF6_PREFIX_SPACE (op->prefix_length))
pnt[index++] = 0;