path: root/src/helpers
diff options
authorPhil Sutter <>2019-02-12 17:31:31 +0100
committerPablo Neira Ayuso <>2019-02-12 19:40:13 +0100
commit764a435c26e29900921ad5cdbd160a466c3c7416 (patch)
tree01b1cd5cd8f1f05fc53ba46e619e2734bcc5203d /src/helpers
parent0aae87b43d98864ac48560f16e74bd6d71463291 (diff)
conntrackd: helpers: dhcpv6: Fix potential array overrun
The value dhcpv6_msg_type points at is used as index to dhcpv6_timeouts array, so upper boundary check has to treat a value of ARRAY_SIZE(dhcpv6_timeouts) as invalid. Fixes: 36118bfc4901b ("conntrackd: helpers: add DHCPv6 helper") Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'src/helpers')
1 files changed, 1 insertions, 1 deletions
diff --git a/src/helpers/dhcpv6.c b/src/helpers/dhcpv6.c
index 73632ec..f87b6ce 100644
--- a/src/helpers/dhcpv6.c
+++ b/src/helpers/dhcpv6.c
@@ -72,7 +72,7 @@ dhcpv6_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
return NF_ACCEPT;
dhcpv6_msg_type = pktb_network_header(pkt) + protoff + sizeof(struct udphdr);
- if (*dhcpv6_msg_type > ARRAY_SIZE(dhcpv6_timeouts)) {
+ if (*dhcpv6_msg_type >= ARRAY_SIZE(dhcpv6_timeouts)) {
printf("Dropping DHCPv6 message with bad type %u\n",
return NF_DROP;