When parsing a network mask into prefixlen be more paranoid and make sure
no value bigger then 128 is returned. In general this should never happen
but if it does the result can be bad.
This is for bgpd but there are other users in the tree. I will adjust them
if we dicide to go this way.
--
:wq Claudio
Index: kroute.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
retrieving revision 1.225
diff -u -p -r1.225 kroute.c
--- kroute.c 5 Nov 2018 07:01:15 -0000 1.225
+++ kroute.c 19 Nov 2018 12:46:23 -0000
@@ -2406,7 +2406,8 @@ mask2prefixlen(in_addr_t ina)
u_int8_t
mask2prefixlen6(struct sockaddr_in6 *sa_in6)
{
- u_int8_t l = 0, *ap, *ep;
+ u_int8_t *ap, *ep;
+ u_int l = 0;
/*
* sin6_len is the size of the sockaddr so substract the offset of
@@ -2422,32 +2423,35 @@ mask2prefixlen6(struct sockaddr_in6 *sa_
break;
case 0xfe:
l += 7;
- return (l);
+ goto done;
case 0xfc:
l += 6;
- return (l);
+ goto done;
case 0xf8:
l += 5;
- return (l);
+ goto done;
case 0xf0:
l += 4;
- return (l);
+ goto done;
case 0xe0:
l += 3;
- return (l);
+ goto done;
case 0xc0:
l += 2;
- return (l);
+ goto done;
case 0x80:
l += 1;
- return (l);
+ goto done;
case 0x00:
- return (l);
+ goto done;
default:
fatalx("non contiguous inet6 netmask");
}
}
+ done:
+ if (l > sizeof(struct in6_addr) * 8)
+ fatalx("%s: prefixlen %d out of bound", __func__, l);
return (l);
}
