Protect against omitted being too large in network_prefix.

Thanks to Stephen Fisher.

Protect against omitted being too large in network_prefix.
Thanks to Stephen Fisher.
1732bc83 · Juliusz Chroboczek · cca56b2c · 1732bc83
Commit 1732bc83 authored Apr 08, 2011 by Juliusz Chroboczek
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

message.c message.c +3 -2

No files found.
--- a/message.c
+++ b/message.c
@@ -83,7 +83,8 @@ network_prefix(int ae, int plen, unsigned int omitted,
    switch(ae) {
    case 0: break;
    case 1:
-        if(pb > 4 || (pb > omitted && len < pb - omitted)) return -1;
+        if(omitted > 4 || pb > 4 || (pb > omitted && len < pb - omitted))
+            return -1;
        memcpy(prefix, v4prefix, 12);
        if(omitted) {
            if (dp == NULL || !v4mapped(dp)) return -1;
@@ -92,7 +93,7 @@ network_prefix(int ae, int plen, unsigned int omitted,
        if(pb > omitted) memcpy(prefix + 12 + omitted, p, pb);
        break;
    case 2:
-        if(pb > omitted && len < pb - omitted) return -1;
+        if(omitted > 16 || (pb > omitted && len < pb - omitted)) return -1;
        if(omitted) {
            if (dp == NULL || v4mapped(dp)) return -1;
            memcpy(prefix, dp, omitted);