From: paco <paco@voltanet.io>
Date: Wed, 27 Jun 2018 09:47:57 +0000 (+0200)
Subject: ospf6d: OoB read (Coverity 1221444 1221446)
X-Git-Tag: frr-6.1-dev~226^2
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=b8ce0c369622b5aeeef35a5ab4028d458bff4c92;p=matthieu%2Ffrr.git

ospf6d: OoB read (Coverity 1221444 1221446)

Signed-off-by: F. Aragon <paco@voltanet.io>
---

diff --git a/ospf6d/ospf6_abr.c b/ospf6d/ospf6_abr.c
index b3aa3b21d2..cef32bc437 100644
--- a/ospf6d/ospf6_abr.c
+++ b/ospf6d/ospf6_abr.c
@@ -864,7 +864,8 @@ void ospf6_abr_examin_summary(struct ospf6_lsa *lsa, struct ospf6_area *oa)
 				lsa->header);
 		prefix.family = AF_INET6;
 		prefix.prefixlen = prefix_lsa->prefix.prefix_length;
-		ospf6_prefix_in6_addr(&prefix.u.prefix6, &prefix_lsa->prefix);
+		ospf6_prefix_in6_addr(&prefix.u.prefix6, prefix_lsa,
+				      &prefix_lsa->prefix);
 		if (is_debug)
 			prefix2str(&prefix, buf, sizeof(buf));
 		table = oa->ospf6->route_table;
@@ -1284,7 +1285,7 @@ static char *ospf6_inter_area_prefix_lsa_get_prefix_str(struct ospf6_lsa *lsa,
 			(struct ospf6_inter_prefix_lsa *)OSPF6_LSA_HEADER_END(
 				lsa->header);
 
-		ospf6_prefix_in6_addr(&in6, &prefix_lsa->prefix);
+		ospf6_prefix_in6_addr(&in6, prefix_lsa, &prefix_lsa->prefix);
 		if (buf) {
 			inet_ntop(AF_INET6, &in6, buf, buflen);
 			sprintf(&buf[strlen(buf)], "/%d",
diff --git a/ospf6d/ospf6_asbr.c b/ospf6d/ospf6_asbr.c
index 7f575ee506..a723396507 100644
--- a/ospf6d/ospf6_asbr.c
+++ b/ospf6d/ospf6_asbr.c
@@ -497,7 +497,8 @@ void ospf6_asbr_lsa_add(struct ospf6_lsa *lsa)
 	route->type = OSPF6_DEST_TYPE_NETWORK;
 	route->prefix.family = AF_INET6;
 	route->prefix.prefixlen = external->prefix.prefix_length;
-	ospf6_prefix_in6_addr(&route->prefix.u.prefix6, &external->prefix);
+	ospf6_prefix_in6_addr(&route->prefix.u.prefix6, external,
+			      &external->prefix);
 
 	route->path.area_id = asbr_entry->path.area_id;
 	route->path.origin.type = lsa->header->type;
@@ -576,7 +577,7 @@ void ospf6_asbr_lsa_remove(struct ospf6_lsa *lsa,
 	route_to_del->type = OSPF6_DEST_TYPE_NETWORK;
 	route_to_del->prefix.family = AF_INET6;
 	route_to_del->prefix.prefixlen = external->prefix.prefix_length;
-	ospf6_prefix_in6_addr(&route_to_del->prefix.u.prefix6,
+	ospf6_prefix_in6_addr(&route_to_del->prefix.u.prefix6, external,
 			      &external->prefix);
 
 	route_to_del->path.origin.type = lsa->header->type;
@@ -603,7 +604,7 @@ void ospf6_asbr_lsa_remove(struct ospf6_lsa *lsa,
 	memset(&prefix, 0, sizeof(struct prefix));
 	prefix.family = AF_INET6;
 	prefix.prefixlen = external->prefix.prefix_length;
-	ospf6_prefix_in6_addr(&prefix.u.prefix6, &external->prefix);
+	ospf6_prefix_in6_addr(&prefix.u.prefix6, external, &external->prefix);
 
 	route = ospf6_route_lookup(&prefix, ospf6->route_table);
 	if (route == NULL) {
@@ -1705,7 +1706,8 @@ static char *ospf6_as_external_lsa_get_prefix_str(struct ospf6_lsa *lsa,
 			lsa->header);
 
 		if (pos == 0) {
-			ospf6_prefix_in6_addr(&in6, &external->prefix);
+			ospf6_prefix_in6_addr(&in6, external,
+					      &external->prefix);
 			prefix_length = external->prefix.prefix_length;
 		} else {
 			in6 = *((struct in6_addr
diff --git a/ospf6d/ospf6_intra.c b/ospf6d/ospf6_intra.c
index 7898b10905..0ce08a61e2 100644
--- a/ospf6d/ospf6_intra.c
+++ b/ospf6d/ospf6_intra.c
@@ -1700,7 +1700,8 @@ void ospf6_intra_prefix_lsa_add(struct ospf6_lsa *lsa)
 		memset(&route->prefix, 0, sizeof(struct prefix));
 		route->prefix.family = AF_INET6;
 		route->prefix.prefixlen = op->prefix_length;
-		ospf6_prefix_in6_addr(&route->prefix.u.prefix6, op);
+		ospf6_prefix_in6_addr(&route->prefix.u.prefix6,
+				      intra_prefix_lsa, op);
 
 		route->type = OSPF6_DEST_TYPE_NETWORK;
 		route->path.origin.type = lsa->header->type;
@@ -1882,7 +1883,7 @@ void ospf6_intra_prefix_lsa_remove(struct ospf6_lsa *lsa)
 		memset(&prefix, 0, sizeof(struct prefix));
 		prefix.family = AF_INET6;
 		prefix.prefixlen = op->prefix_length;
-		ospf6_prefix_in6_addr(&prefix.u.prefix6, op);
+		ospf6_prefix_in6_addr(&prefix.u.prefix6, intra_prefix_lsa, op);
 
 		route = ospf6_route_lookup(&prefix, oa->route_table);
 		if (route == NULL)
diff --git a/ospf6d/ospf6_proto.c b/ospf6d/ospf6_proto.c
index 4b56a64b7f..864974c9a4 100644
--- a/ospf6d/ospf6_proto.c
+++ b/ospf6d/ospf6_proto.c
@@ -24,6 +24,16 @@
 
 #include "ospf6_proto.h"
 
+void ospf6_prefix_in6_addr(struct in6_addr *in6, const void *prefix_buf,
+			   const struct ospf6_prefix *p)
+{
+	ptrdiff_t in6_off = (caddr_t)p->addr - (caddr_t)prefix_buf;
+
+	memset(in6, 0, sizeof(struct in6_addr));
+	memcpy(in6, (uint8_t *)prefix_buf + in6_off,
+	       OSPF6_PREFIX_SPACE(p->prefix_length));
+}
+
 void ospf6_prefix_apply_mask(struct ospf6_prefix *op)
 {
 	uint8_t *pnt, mask;
diff --git a/ospf6d/ospf6_proto.h b/ospf6d/ospf6_proto.h
index ca2804c476..c9e7b549db 100644
--- a/ospf6d/ospf6_proto.h
+++ b/ospf6d/ospf6_proto.h
@@ -84,13 +84,8 @@ struct ospf6_prefix {
 #define OSPF6_PREFIX_NEXT(x)                                                   \
 	((struct ospf6_prefix *)((caddr_t)(x) + OSPF6_PREFIX_SIZE(x)))
 
-#define ospf6_prefix_in6_addr(in6, op)                                         \
-	do {                                                                   \
-		memset(in6, 0, sizeof(struct in6_addr));                       \
-		memcpy(in6, (caddr_t)(op) + sizeof(struct ospf6_prefix),       \
-		       OSPF6_PREFIX_SPACE((op)->prefix_length));               \
-	} while (0)
-
+extern void ospf6_prefix_in6_addr(struct in6_addr *in6, const void *prefix_buf,
+				  const struct ospf6_prefix *p);
 extern void ospf6_prefix_apply_mask(struct ospf6_prefix *op);
 extern void ospf6_prefix_options_printbuf(uint8_t prefix_options, char *buf,
 					  int size);