mirror of
https://git.proxmox.com/git/mirror_frr
synced 2025-08-14 16:04:49 +00:00
ospf6d: OoB read (Coverity 1221444 1221446)
Signed-off-by: F. Aragon <paco@voltanet.io>
This commit is contained in:
paco
F. Aragon
parent
71a7b1f82f
commit
b8ce0c3696
@ -864,7 +864,8 @@ void ospf6_abr_examin_summary(struct ospf6_lsa *lsa, struct ospf6_area *oa)
|
||||
lsa->header);
|
||||
prefix.family = AF_INET6;
|
||||
prefix.prefixlen = prefix_lsa->prefix.prefix_length;
|
||||
ospf6_prefix_in6_addr(&prefix.u.prefix6, &prefix_lsa->prefix);
|
||||
ospf6_prefix_in6_addr(&prefix.u.prefix6, prefix_lsa,
|
||||
&prefix_lsa->prefix);
|
||||
if (is_debug)
|
||||
prefix2str(&prefix, buf, sizeof(buf));
|
||||
table = oa->ospf6->route_table;
|
||||
@ -1284,7 +1285,7 @@ static char *ospf6_inter_area_prefix_lsa_get_prefix_str(struct ospf6_lsa *lsa,
|
||||
(struct ospf6_inter_prefix_lsa *)OSPF6_LSA_HEADER_END(
|
||||
lsa->header);
|
||||
|
||||
ospf6_prefix_in6_addr(&in6, &prefix_lsa->prefix);
|
||||
ospf6_prefix_in6_addr(&in6, prefix_lsa, &prefix_lsa->prefix);
|
||||
if (buf) {
|
||||
inet_ntop(AF_INET6, &in6, buf, buflen);
|
||||
sprintf(&buf[strlen(buf)], "/%d",
|
||||
|
||||
@ -497,7 +497,8 @@ void ospf6_asbr_lsa_add(struct ospf6_lsa *lsa)
|
||||
route->type = OSPF6_DEST_TYPE_NETWORK;
|
||||
route->prefix.family = AF_INET6;
|
||||
route->prefix.prefixlen = external->prefix.prefix_length;
|
||||
ospf6_prefix_in6_addr(&route->prefix.u.prefix6, &external->prefix);
|
||||
ospf6_prefix_in6_addr(&route->prefix.u.prefix6, external,
|
||||
&external->prefix);
|
||||
|
||||
route->path.area_id = asbr_entry->path.area_id;
|
||||
route->path.origin.type = lsa->header->type;
|
||||
@ -576,7 +577,7 @@ void ospf6_asbr_lsa_remove(struct ospf6_lsa *lsa,
|
||||
route_to_del->type = OSPF6_DEST_TYPE_NETWORK;
|
||||
route_to_del->prefix.family = AF_INET6;
|
||||
route_to_del->prefix.prefixlen = external->prefix.prefix_length;
|
||||
ospf6_prefix_in6_addr(&route_to_del->prefix.u.prefix6,
|
||||
ospf6_prefix_in6_addr(&route_to_del->prefix.u.prefix6, external,
|
||||
&external->prefix);
|
||||
|
||||
route_to_del->path.origin.type = lsa->header->type;
|
||||
@ -603,7 +604,7 @@ void ospf6_asbr_lsa_remove(struct ospf6_lsa *lsa,
|
||||
memset(&prefix, 0, sizeof(struct prefix));
|
||||
prefix.family = AF_INET6;
|
||||
prefix.prefixlen = external->prefix.prefix_length;
|
||||
ospf6_prefix_in6_addr(&prefix.u.prefix6, &external->prefix);
|
||||
ospf6_prefix_in6_addr(&prefix.u.prefix6, external, &external->prefix);
|
||||
|
||||
route = ospf6_route_lookup(&prefix, ospf6->route_table);
|
||||
if (route == NULL) {
|
||||
@ -1705,7 +1706,8 @@ static char *ospf6_as_external_lsa_get_prefix_str(struct ospf6_lsa *lsa,
|
||||
lsa->header);
|
||||
|
||||
if (pos == 0) {
|
||||
ospf6_prefix_in6_addr(&in6, &external->prefix);
|
||||
ospf6_prefix_in6_addr(&in6, external,
|
||||
&external->prefix);
|
||||
prefix_length = external->prefix.prefix_length;
|
||||
} else {
|
||||
in6 = *((struct in6_addr
|
||||
|
||||
@ -1700,7 +1700,8 @@ void ospf6_intra_prefix_lsa_add(struct ospf6_lsa *lsa)
|
||||
memset(&route->prefix, 0, sizeof(struct prefix));
|
||||
route->prefix.family = AF_INET6;
|
||||
route->prefix.prefixlen = op->prefix_length;
|
||||
ospf6_prefix_in6_addr(&route->prefix.u.prefix6, op);
|
||||
ospf6_prefix_in6_addr(&route->prefix.u.prefix6,
|
||||
intra_prefix_lsa, op);
|
||||
|
||||
route->type = OSPF6_DEST_TYPE_NETWORK;
|
||||
route->path.origin.type = lsa->header->type;
|
||||
@ -1882,7 +1883,7 @@ void ospf6_intra_prefix_lsa_remove(struct ospf6_lsa *lsa)
|
||||
memset(&prefix, 0, sizeof(struct prefix));
|
||||
prefix.family = AF_INET6;
|
||||
prefix.prefixlen = op->prefix_length;
|
||||
ospf6_prefix_in6_addr(&prefix.u.prefix6, op);
|
||||
ospf6_prefix_in6_addr(&prefix.u.prefix6, intra_prefix_lsa, op);
|
||||
|
||||
route = ospf6_route_lookup(&prefix, oa->route_table);
|
||||
if (route == NULL)
|
||||
|
||||
@ -24,6 +24,16 @@
|
||||
|
||||
#include "ospf6_proto.h"
|
||||
|
||||
void ospf6_prefix_in6_addr(struct in6_addr *in6, const void *prefix_buf,
|
||||
const struct ospf6_prefix *p)
|
||||
{
|
||||
ptrdiff_t in6_off = (caddr_t)p->addr - (caddr_t)prefix_buf;
|
||||
|
||||
memset(in6, 0, sizeof(struct in6_addr));
|
||||
memcpy(in6, (uint8_t *)prefix_buf + in6_off,
|
||||
OSPF6_PREFIX_SPACE(p->prefix_length));
|
||||
}
|
||||
|
||||
void ospf6_prefix_apply_mask(struct ospf6_prefix *op)
|
||||
{
|
||||
uint8_t *pnt, mask;
|
||||
|
||||
@ -84,13 +84,8 @@ struct ospf6_prefix {
|
||||
#define OSPF6_PREFIX_NEXT(x) \
|
||||
((struct ospf6_prefix *)((caddr_t)(x) + OSPF6_PREFIX_SIZE(x)))
|
||||
|
||||
#define ospf6_prefix_in6_addr(in6, op) \
|
||||
do { \
|
||||
memset(in6, 0, sizeof(struct in6_addr)); \
|
||||
memcpy(in6, (caddr_t)(op) + sizeof(struct ospf6_prefix), \
|
||||
OSPF6_PREFIX_SPACE((op)->prefix_length)); \
|
||||
} while (0)
|
||||
|
||||
extern void ospf6_prefix_in6_addr(struct in6_addr *in6, const void *prefix_buf,
|
||||
const struct ospf6_prefix *p);
|
||||
extern void ospf6_prefix_apply_mask(struct ospf6_prefix *op);
|
||||
extern void ospf6_prefix_options_printbuf(uint8_t prefix_options, char *buf,
|
||||
int size);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user