The value dhcpv6_msg_type points at is used as index to dhcpv6_timeouts
array, so upper boundary check has to treat a value of
ARRAY_SIZE(dhcpv6_timeouts) as invalid.
Fixes: 36118bfc4901b ("conntrackd: helpers: add DHCPv6 helper")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
src/helpers/dhcpv6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/helpers/dhcpv6.c b/src/helpers/dhcpv6.c
index 73632ec181a95..f87b6cebfe157 100644
--- a/src/helpers/dhcpv6.c
+++ b/src/helpers/dhcpv6.c
@@ -72,7 +72,7 @@ dhcpv6_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
return NF_ACCEPT;
dhcpv6_msg_type = pktb_network_header(pkt) + protoff + sizeof(struct udphdr);
- if (*dhcpv6_msg_type > ARRAY_SIZE(dhcpv6_timeouts)) {
+ if (*dhcpv6_msg_type >= ARRAY_SIZE(dhcpv6_timeouts)) {
printf("Dropping DHCPv6 message with bad type %u\n",
*dhcpv6_msg_type);
return NF_DROP;
--
2.20.1
