[conntrack-tools PATCH] conntrackd: helpers: dhcpv6: Fix potential array overrun

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The value dhcpv6_msg_type points at is used as index to dhcpv6_timeouts
array, so upper boundary check has to treat a value of
ARRAY_SIZE(dhcpv6_timeouts) as invalid.

Fixes: 36118bfc4901b ("conntrackd: helpers: add DHCPv6 helper")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 src/helpers/dhcpv6.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/helpers/dhcpv6.c b/src/helpers/dhcpv6.c
index 73632ec181a95..f87b6cebfe157 100644
--- a/src/helpers/dhcpv6.c
+++ b/src/helpers/dhcpv6.c
@@ -72,7 +72,7 @@ dhcpv6_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
 		return NF_ACCEPT;
 
 	dhcpv6_msg_type = pktb_network_header(pkt) + protoff + sizeof(struct udphdr);
-	if (*dhcpv6_msg_type > ARRAY_SIZE(dhcpv6_timeouts)) {
+	if (*dhcpv6_msg_type >= ARRAY_SIZE(dhcpv6_timeouts)) {
 		printf("Dropping DHCPv6 message with bad type %u\n",
 			*dhcpv6_msg_type);
 		return NF_DROP;
-- 
2.20.1




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux