From 1801580e39ceac0d7fec7adef892763c4da56906 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 28 Jan 2016 22:45:14 +0000
Subject: Fix regression in entry_to_env()

I broke entry_to_env() by incrementing the wrong variable in commit
a6bbd1d7f5c2 ("Fix potential buffer overflow in entry_to_env").

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 src/script.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/script.c b/src/script.c
index 3579331..5955e94 100644
--- a/src/script.c
+++ b/src/script.c
@@ -169,7 +169,7 @@ static void entry_to_env(const char *name, const void *data, size_t len, enum en
 		buf_len += strlen(&buf[buf_len]);
 		if (type != ENTRY_HOST) {
 			snprintf(&buf[buf_len], 6, "/%"PRIu16, e[i].length);
-			buf += strlen(&buf[buf_len]);
+			buf_len += strlen(&buf[buf_len]);
 			if (type == ENTRY_ROUTE) {
 				buf[buf_len++] = ',';
 				if (!IN6_IS_ADDR_UNSPECIFIED(&e[i].router)) {
@@ -177,15 +177,15 @@ static void entry_to_env(const char *name, const void *data, size_t len, enum en
 					buf_len += strlen(&buf[buf_len]);
 				}
 				snprintf(&buf[buf_len], 23, ",%u,%u", e[i].valid, e[i].priority);
-				buf += strlen(&buf[buf_len]);
+				buf_len += strlen(&buf[buf_len]);
 			} else {
 				snprintf(&buf[buf_len], 23, ",%u,%u", e[i].preferred, e[i].valid);
-				buf += strlen(&buf[buf_len]);
+				buf_len += strlen(&buf[buf_len]);
 			}
 
 			if (type == ENTRY_PREFIX && ntohl(e[i].iaid) != 1) {
 				snprintf(&buf[buf_len], 16, ",class=%08x", ntohl(e[i].iaid));
-				buf += strlen(&buf[buf_len]);
+				buf_len += strlen(&buf[buf_len]);
 			}
 
 			if (type == ENTRY_PREFIX && e[i].priority) {
-- 
cgit v1.2.1


From c47e4f59ef87ef94b84023e260bfadd9df6e5a82 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 28 Jan 2016 22:45:39 +0000
Subject: Fix end pointer passed from dhcpv6_handle_reply() to
 dhcpv6_parse_ia()

The end of the IA option is odata + olen; there's no need to add anything.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 src/dhcpv6.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/dhcpv6.c b/src/dhcpv6.c
index e27d899..c5f11f1 100644
--- a/src/dhcpv6.c
+++ b/src/dhcpv6.c
@@ -989,7 +989,7 @@ static int dhcpv6_handle_reply(enum dhcpv6_msg orig, _unused const int rc,
 				if (code != DHCPV6_Success)
 					continue;
 
-				dhcpv6_parse_ia(ia_hdr, odata + olen + sizeof(*ia_hdr));
+				dhcpv6_parse_ia(ia_hdr, odata + olen);
 				passthru = false;
 			} else if (otype == DHCPV6_OPT_STATUS && olen >= 2) {
 				uint8_t *mdata = (olen > 2) ? &odata[2] : NULL;
-- 
cgit v1.2.1