> Synopsis: util.c mask2prefixlen6() may read beyond the end of netmask
> structure
> Category: security
> Description:
The mask2prefixlen6() function in iked util.c uses the sin6_len field
from a
sockaddr_in6 structure to determine how many bytes to read when
calculating
the prefix length of an IPv6 netmask:
ap = (uint8_t *)&sa_in6->sin6_addr;
ep = (uint8_t *)sa_in6 + sa_in6->sin6_len;
for (; ap < ep; ap++) {
/* ... */
}
The function is used in:
- parse.c for processing netmask values from getifaddrs()
- pfkey.c for processing netmask information from PF_KEY SA processing
The current bounds check:
if (l > sizeof(struct in6_addr) * 8)
fatalx("%s: prefixlen %d out of bound", __func__, l);
Only validates the result and runs after memory has already been
accessed.
Currently, where it is used it is processing relatively safe data.
However, in this function may be applied to unsafe data if applied
incorrectly in the future.
> Fix:
Add upfront structure validation before memory access:
if (sa_in6->sin6_len < offsetof(struct sockaddr_in6, sin6_addr)
||
sa_in6->sin6_len > sizeof(struct sockaddr_in6)) {
fatalx("invalid sockaddr_in6 length");
}
This ensures:
- The sockaddr is large enough to contain in6_addr
- Length doesn't exceed maximum valid size
- Memory access stays within bounds
The existing result validation should be kept as a separate check.
