ospf6d: OoB read (Coverity 1221444 1221446)

Signed-off-by: F. Aragon <paco@voltanet.io>

diff --git a/ospf6d/ospf6_abr.c b/ospf6d/ospf6_abr.c
index b3aa3b21d2b5221e1d3eb76cf9395cd6764b1a23..cef32bc437119447a0a6cdaebe6862b7c1160161 100644 (file)
--- a/ospf6d/ospf6_abr.c
+++ b/ospf6d/ospf6_abr.c
@@ -864,7 +864,8 @@ void ospf6_abr_examin_summary(struct ospf6_lsa *lsa, struct ospf6_area *oa)
                                lsa->header);
                prefix.family = AF_INET6;
                prefix.prefixlen = prefix_lsa->prefix.prefix_length;
-               ospf6_prefix_in6_addr(&prefix.u.prefix6, &prefix_lsa->prefix);
+               ospf6_prefix_in6_addr(&prefix.u.prefix6, prefix_lsa,
+                                     &prefix_lsa->prefix);
                if (is_debug)
                        prefix2str(&prefix, buf, sizeof(buf));
                table = oa->ospf6->route_table;
@@ -1284,7 +1285,7 @@ static char *ospf6_inter_area_prefix_lsa_get_prefix_str(struct ospf6_lsa *lsa,
                        (struct ospf6_inter_prefix_lsa *)OSPF6_LSA_HEADER_END(
                                lsa->header);
 
-               ospf6_prefix_in6_addr(&in6, &prefix_lsa->prefix);
+               ospf6_prefix_in6_addr(&in6, prefix_lsa, &prefix_lsa->prefix);
                if (buf) {
                        inet_ntop(AF_INET6, &in6, buf, buflen);
                        sprintf(&buf[strlen(buf)], "/%d",

diff --git a/ospf6d/ospf6_asbr.c b/ospf6d/ospf6_asbr.c
index 7f575ee50638b8e5da6c56add7fa7f4cc802a34c..a7233965077b03b703500a94bd13ac59cc89b0e5 100644 (file)
--- a/ospf6d/ospf6_asbr.c
+++ b/ospf6d/ospf6_asbr.c
@@ -497,7 +497,8 @@ void ospf6_asbr_lsa_add(struct ospf6_lsa *lsa)
        route->type = OSPF6_DEST_TYPE_NETWORK;
        route->prefix.family = AF_INET6;
        route->prefix.prefixlen = external->prefix.prefix_length;
-       ospf6_prefix_in6_addr(&route->prefix.u.prefix6, &external->prefix);
+       ospf6_prefix_in6_addr(&route->prefix.u.prefix6, external,
+                             &external->prefix);
 
        route->path.area_id = asbr_entry->path.area_id;
        route->path.origin.type = lsa->header->type;
@@ -576,7 +577,7 @@ void ospf6_asbr_lsa_remove(struct ospf6_lsa *lsa,
        route_to_del->type = OSPF6_DEST_TYPE_NETWORK;
        route_to_del->prefix.family = AF_INET6;
        route_to_del->prefix.prefixlen = external->prefix.prefix_length;
-       ospf6_prefix_in6_addr(&route_to_del->prefix.u.prefix6,
+       ospf6_prefix_in6_addr(&route_to_del->prefix.u.prefix6, external,
                              &external->prefix);
 
        route_to_del->path.origin.type = lsa->header->type;
@@ -603,7 +604,7 @@ void ospf6_asbr_lsa_remove(struct ospf6_lsa *lsa,
        memset(&prefix, 0, sizeof(struct prefix));
        prefix.family = AF_INET6;
        prefix.prefixlen = external->prefix.prefix_length;
-       ospf6_prefix_in6_addr(&prefix.u.prefix6, &external->prefix);
+       ospf6_prefix_in6_addr(&prefix.u.prefix6, external, &external->prefix);
 
        route = ospf6_route_lookup(&prefix, ospf6->route_table);
        if (route == NULL) {
@@ -1705,7 +1706,8 @@ static char *ospf6_as_external_lsa_get_prefix_str(struct ospf6_lsa *lsa,
                        lsa->header);
 
                if (pos == 0) {
-                       ospf6_prefix_in6_addr(&in6, &external->prefix);
+                       ospf6_prefix_in6_addr(&in6, external,
+                                             &external->prefix);
                        prefix_length = external->prefix.prefix_length;
                } else {
                        in6 = *((struct in6_addr

diff --git a/ospf6d/ospf6_intra.c b/ospf6d/ospf6_intra.c
index 7898b109050ee506cf5706f7fc0de091b4630590..0ce08a61e259b67e9fdde0fddfc6ea5dc6481299 100644 (file)
--- a/ospf6d/ospf6_intra.c
+++ b/ospf6d/ospf6_intra.c
@@ -1700,7 +1700,8 @@ void ospf6_intra_prefix_lsa_add(struct ospf6_lsa *lsa)
                memset(&route->prefix, 0, sizeof(struct prefix));
                route->prefix.family = AF_INET6;
                route->prefix.prefixlen = op->prefix_length;
-               ospf6_prefix_in6_addr(&route->prefix.u.prefix6, op);
+               ospf6_prefix_in6_addr(&route->prefix.u.prefix6,
+                                     intra_prefix_lsa, op);
 
                route->type = OSPF6_DEST_TYPE_NETWORK;
                route->path.origin.type = lsa->header->type;
@@ -1882,7 +1883,7 @@ void ospf6_intra_prefix_lsa_remove(struct ospf6_lsa *lsa)
                memset(&prefix, 0, sizeof(struct prefix));
                prefix.family = AF_INET6;
                prefix.prefixlen = op->prefix_length;
-               ospf6_prefix_in6_addr(&prefix.u.prefix6, op);
+               ospf6_prefix_in6_addr(&prefix.u.prefix6, intra_prefix_lsa, op);
 
                route = ospf6_route_lookup(&prefix, oa->route_table);
                if (route == NULL)

diff --git a/ospf6d/ospf6_proto.c b/ospf6d/ospf6_proto.c
index 4b56a64b7f66803e9e788c3808316ccad5f356a2..864974c9a4c3d952723a1a9a6dede2e786c685ab 100644 (file)
--- a/ospf6d/ospf6_proto.c
+++ b/ospf6d/ospf6_proto.c
@@ -24,6 +24,16 @@
 
 #include "ospf6_proto.h"
 
+void ospf6_prefix_in6_addr(struct in6_addr *in6, const void *prefix_buf,
+                          const struct ospf6_prefix *p)
+{
+       ptrdiff_t in6_off = (caddr_t)p->addr - (caddr_t)prefix_buf;
+
+       memset(in6, 0, sizeof(struct in6_addr));
+       memcpy(in6, (uint8_t *)prefix_buf + in6_off,
+              OSPF6_PREFIX_SPACE(p->prefix_length));
+}
+
 void ospf6_prefix_apply_mask(struct ospf6_prefix *op)
 {
        uint8_t *pnt, mask;

diff --git a/ospf6d/ospf6_proto.h b/ospf6d/ospf6_proto.h
index ca2804c47624d52eeb7b0aa46ed1bc241f58fcb5..c9e7b549db8b4443cb99f86fb33c87b41ff11f44 100644 (file)
--- a/ospf6d/ospf6_proto.h
+++ b/ospf6d/ospf6_proto.h
@@ -84,13 +84,8 @@ struct ospf6_prefix {
 #define OSPF6_PREFIX_NEXT(x)                                                   \
        ((struct ospf6_prefix *)((caddr_t)(x) + OSPF6_PREFIX_SIZE(x)))
 
-#define ospf6_prefix_in6_addr(in6, op)                                         \
-       do {                                                                   \
-               memset(in6, 0, sizeof(struct in6_addr));                       \
-               memcpy(in6, (caddr_t)(op) + sizeof(struct ospf6_prefix),       \
-                      OSPF6_PREFIX_SPACE((op)->prefix_length));               \
-       } while (0)
-
+extern void ospf6_prefix_in6_addr(struct in6_addr *in6, const void *prefix_buf,
+                                 const struct ospf6_prefix *p);
 extern void ospf6_prefix_apply_mask(struct ospf6_prefix *op);
 extern void ospf6_prefix_options_printbuf(uint8_t prefix_options, char *buf,
                                          int size);