diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2018-09-16 08:53:03 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2018-09-16 08:53:03 +0000 |
| commit | 288a54421e68eb7a6c13a2c3594d1426752628dc (patch) | |
| tree | ddfb535128091652f62adb3ca55b7e86ccd64f6f /usr.sbin/rad | |
| parent | b5def64de55a2a39374221bb2c618e52880a6339 (diff) | |
With prefixlen 128, mask_prefix() in rad(8) caused a stack overflow
in the config parser. Add an out of bounds check for the in6_addr.
OK florian@
Diffstat (limited to 'usr.sbin/rad')
| -rw-r--r-- | usr.sbin/rad/rad.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/usr.sbin/rad/rad.c b/usr.sbin/rad/rad.c index 3be3de92e3f..0f936a06037 100644 --- a/usr.sbin/rad/rad.c +++ b/usr.sbin/rad/rad.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rad.c,v 1.15 2018/08/05 09:37:05 mestre Exp $ */ +/* $OpenBSD: rad.c,v 1.16 2018/09/16 08:53:02 bluhm Exp $ */ /* * Copyright (c) 2018 Florian Obser <florian@openbsd.org> @@ -778,7 +778,8 @@ config_clear(struct rad_conf *conf) free(conf); } -void mask_prefix(struct in6_addr* in6, int len) +void +mask_prefix(struct in6_addr* in6, int len) { uint8_t bitmask[8] = {0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe}; int i, skip; @@ -788,7 +789,8 @@ void mask_prefix(struct in6_addr* in6, int len) skip = len / 8; - in6->s6_addr[skip] &= bitmask[len % 8]; + if (skip < 16) + in6->s6_addr[skip] &= bitmask[len % 8]; for (i = skip + 1; i < 16; i++) in6->s6_addr[i] = 0; |