summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2010-06-09 17:36:37 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2010-06-09 17:36:37 +0000
commitc230e118543f45ee1e633a734ace7db754b4b3b4 (patch)
treee57ad6734d979f5d98c05fc6712c8c41f35a0b35
parent4a185d8f79007d6621830792874b660859a95d42 (diff)
Correctly decode prefixes. Fixes an infinite loop hit when the prefixlen is
not devidable by 32. Problem found and identified by Martin Pelikán.
-rw-r--r--usr.sbin/ospf6d/rde_lsdb.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/usr.sbin/ospf6d/rde_lsdb.c b/usr.sbin/ospf6d/rde_lsdb.c
index df85bed4a5d..c3a7692aa91 100644
--- a/usr.sbin/ospf6d/rde_lsdb.c
+++ b/usr.sbin/ospf6d/rde_lsdb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rde_lsdb.c,v 1.30 2010/03/01 08:55:45 claudio Exp $ */
+/* $OpenBSD: rde_lsdb.c,v 1.31 2010/06/09 17:36:36 claudio Exp $ */
/*
* Copyright (c) 2004, 2005 Claudio Jeker <claudio@openbsd.org>
@@ -941,7 +941,7 @@ lsa_get_prefix(void *buf, u_int16_t len, struct rt_prefix *p)
struct lsa_prefix *lp = buf;
u_int32_t *buf32, *addr = NULL;
u_int8_t prefixlen;
- u_int16_t consumed = 0;
+ u_int16_t consumed;
if (len < sizeof(*lp))
return (-1);
@@ -957,9 +957,10 @@ lsa_get_prefix(void *buf, u_int16_t len, struct rt_prefix *p)
}
buf32 = (u_int32_t *)(lp + 1);
- consumed += sizeof(*lp);
+ consumed = sizeof(*lp);
- for (; ((prefixlen + 31) / 32) > 0; prefixlen -= 32) {
+ for (prefixlen = LSA_PREFIXSIZE(prefixlen) / sizeof(u_int32_t);
+ prefixlen > 0; prefixlen--) {
if (len < consumed + sizeof(u_int32_t))
return (-1);
if (addr)