diff options
| author | melifaro <melifaro@FreeBSD.org> | 2016-06-05 10:33:53 +0000 |
|---|---|---|
| committer | melifaro <melifaro@FreeBSD.org> | 2016-06-05 10:33:53 +0000 |
| commit | 8f8138fdd302725788696bcadeeaea7000b7e251 (patch) | |
| tree | b1ca62d826ac9a378d8b912ad396427454752363 | |
| parent | b70f46c9797f2283f36872b7e0ddba2bdb9ac028 (diff) | |
| download | FreeBSD-src-8f8138fdd302725788696bcadeeaea7000b7e251.zip FreeBSD-src-8f8138fdd302725788696bcadeeaea7000b7e251.tar.gz | |
Fix 4-byte overflow in ipv6_writemask.
This bug could cause some IPv6 table prefix delete requests to fail.
Obtained from: Yandex LLC
| -rw-r--r-- | sys/netpfil/ipfw/ip_fw_table_algo.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/netpfil/ipfw/ip_fw_table_algo.c b/sys/netpfil/ipfw/ip_fw_table_algo.c index bd6a54d..97bc879 100644 --- a/sys/netpfil/ipfw/ip_fw_table_algo.c +++ b/sys/netpfil/ipfw/ip_fw_table_algo.c @@ -590,7 +590,8 @@ ipv6_writemask(struct in6_addr *addr6, uint8_t mask) for (cp = (uint32_t *)addr6; mask >= 32; mask -= 32) *cp++ = 0xFFFFFFFF; - *cp = htonl(mask ? ~((1 << (32 - mask)) - 1) : 0); + if (mask > 0) + *cp = htonl(mask ? ~((1 << (32 - mask)) - 1) : 0); } #endif |
