utils: fix invalid memory access in fw3_bitlen2netmask()

When fw3_bitlen2netmask() is invoked with a bit length of 128, the next byte after the end of struct in6_addr is errorneously zeroed, leading to a heap corruption on at least x86_64 with uclibc and possibly others. Prevent the invalid writes by explicitely testing for a bit count < 128. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
author: Jo-Philipp Wich <jow@openwrt.org> 2014-09-17 19:49:53 +0200
committer: Jo-Philipp Wich <jow@openwrt.org> 2014-09-17 23:28:54 +0200
commit: 7c63f4f5a9983f9b81d90cfdf09e6fca0cfbf52d (patch)
tree: d4552264065c4d33bf17026b44d954c19ab841ff
parent: 8205107ffd31a21c1d4d93eaa7a44d41c6c3c10d (diff)
download: firewall3-7c63f4f5a9983f9b81d90cfdf09e6fca0cfbf52d.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/utils.c b/utils.c
index cb478bb..756633a 100644
--- a/utils.c
+++ b/utils.c
@@ -786,8 +786,12 @@ fw3_bitlen2netmask(int family, int bits, void *mask)
 		i = abs(bits);
 
 		memset(v6->s6_addr, 0xff, i / 8);
-		memset(v6->s6_addr + (i / 8) + 1, 0, (128 - i) / 8);
-		v6->s6_addr[i / 8] = 0xff << (8 - (i & 7));
+
+		if (i < 128)
+		{
+			memset(v6->s6_addr + (i / 8) + 1, 0, (128 - i) / 8);
+			v6->s6_addr[i / 8] = 0xff << (8 - (i & 7));
+		}
 
 		if (bits < 0)
 			for (i = 0; i < 16; i++)
author	Jo-Philipp Wich <jow@openwrt.org>	2014-09-17 19:49:53 +0200
committer	Jo-Philipp Wich <jow@openwrt.org>	2014-09-17 23:28:54 +0200
commit	7c63f4f5a9983f9b81d90cfdf09e6fca0cfbf52d (patch)
tree	d4552264065c4d33bf17026b44d954c19ab841ff
parent	8205107ffd31a21c1d4d93eaa7a44d41c6c3c10d (diff)
download	firewall3-7c63f4f5a9983f9b81d90cfdf09e6fca0cfbf52d.tar.gz