diff options
author | Alexander V. Chernikov <melifaro@FreeBSD.org> | 2016-06-05 10:33:53 +0000 |
---|---|---|
committer | Alexander V. Chernikov <melifaro@FreeBSD.org> | 2016-06-05 10:33:53 +0000 |
commit | 37aefa2ad1eaf8e6de091e822f599d09c6956e34 (patch) | |
tree | b1ca62d826ac9a378d8b912ad396427454752363 | |
parent | 912517a7d406640dc50c83f5ec2754efd6762713 (diff) | |
download | src-37aefa2ad1eaf8e6de091e822f599d09c6956e34.tar.gz src-37aefa2ad1eaf8e6de091e822f599d09c6956e34.zip |
Fix 4-byte overflow in ipv6_writemask.
This bug could cause some IPv6 table prefix delete requests to fail.
Obtained from: Yandex LLC
Notes
Notes:
svn path=/head/; revision=301440
-rw-r--r-- | sys/netpfil/ipfw/ip_fw_table_algo.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/netpfil/ipfw/ip_fw_table_algo.c b/sys/netpfil/ipfw/ip_fw_table_algo.c index bd6a54d5b97a..97bc8794d737 100644 --- a/sys/netpfil/ipfw/ip_fw_table_algo.c +++ b/sys/netpfil/ipfw/ip_fw_table_algo.c @@ -590,7 +590,8 @@ ipv6_writemask(struct in6_addr *addr6, uint8_t mask) for (cp = (uint32_t *)addr6; mask >= 32; mask -= 32) *cp++ = 0xFFFFFFFF; - *cp = htonl(mask ? ~((1 << (32 - mask)) - 1) : 0); + if (mask > 0) + *cp = htonl(mask ? ~((1 << (32 - mask)) - 1) : 0); } #endif |