ospf6d: fix out of bounds write in ospf6_prefix_apply_mask

ospf6_prefix_apply_mask would write one byte beyond the 4/8/12
bytes allocated for prefixes of length 32/64/96.

based on report and patch by Jon Andersson <jon.andersson@thales.no>

Reported-by: Jon Andersson <jon.andersson@thales.no>
Signed-off-by: David Lamparter <equinox@diac24.net>

diff --git a/ospf6d/ospf6_proto.c b/ospf6d/ospf6_proto.c
index c792aa4526136b8e79d5460cae5d785159a18465..d011601f07af70f95a86447796e604e173d5787d 100644 (file)
--- a/ospf6d/ospf6_proto.c
+++ b/ospf6d/ospf6_proto.c
@@ -42,11 +42,10 @@ ospf6_prefix_apply_mask (struct ospf6_prefix *op)
       return;
     }
 
-  if (index == 16)
-    return;
-
-  pnt[index] &= mask;
-  index ++;
+  /* nonzero mask means no check for this byte because if it contains
+   * prefix bits it must be there for us to write */
+  if (mask)
+    pnt[index++] &= mask;
 
   while (index < OSPF6_PREFIX_SPACE (op->prefix_length))
     pnt[index++] = 0;