ospf6d: Fix write beyond data structure

Converting a 'struct prefix6' to a 'struct prefix'
and then doing a memcpy of the contents writes
beyond the end of the data structure.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>

ospf6d/ospf6_zebra.c

@@ -217,7 +217,7 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
   struct stream *s;
   struct zapi_ipv6 api;
   unsigned long ifindex;
-  struct prefix_ipv6 p, src_p;
+  struct prefix p, src_p;
   struct in6_addr *nexthop;
 
   if (ospf6 == NULL)
@@ -235,17 +235,17 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
   api.message = stream_getc (s);
 
   /* IPv6 prefix. */
-  memset (&p, 0, sizeof (struct prefix_ipv6));
+  memset (&p, 0, sizeof (struct prefix));
   p.family = AF_INET6;
   p.prefixlen = MIN(IPV6_MAX_PREFIXLEN, stream_getc (s));
-  stream_get (&p.prefix, s, PSIZE (p.prefixlen));
+  stream_get (&p.u.prefix6, s, PSIZE (p.prefixlen));
 
-  memset (&src_p, 0, sizeof (struct prefix_ipv6));
+  memset (&src_p, 0, sizeof (struct prefix));
   src_p.family = AF_INET6;
   if (CHECK_FLAG (api.message, ZAPI_MESSAGE_SRCPFX))
     {
       src_p.prefixlen = stream_getc (s);
-      stream_get (&src_p.prefix, s, PSIZE (src_p.prefixlen));
+      stream_get (&src_p.u.prefix6, s, PSIZE (src_p.prefixlen));
     }
 
   if (src_p.prefixlen)
@@ -294,10 +294,10 @@ ospf6_zebra_read_ipv6 (int command, struct zclient *zclient,
     }
  
   if (command == ZEBRA_REDISTRIBUTE_IPV6_ADD)
-    ospf6_asbr_redistribute_add (api.type, ifindex, (struct prefix *) &p,
+    ospf6_asbr_redistribute_add (api.type, ifindex, &p,
                                  api.nexthop_num, nexthop, api.tag);
   else
-    ospf6_asbr_redistribute_remove (api.type, ifindex, (struct prefix *) &p);
+    ospf6_asbr_redistribute_remove (api.type, ifindex, &p);
 
   if (CHECK_FLAG (api.message, ZAPI_MESSAGE_NEXTHOP))
     free (nexthop);