diff options
author | Phil Sutter <phil@nwl.cc> | 2019-02-12 17:31:31 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-02-12 19:40:13 +0100 |
commit | 764a435c26e29900921ad5cdbd160a466c3c7416 (patch) | |
tree | 01b1cd5cd8f1f05fc53ba46e619e2734bcc5203d /src/helpers/dhcpv6.c | |
parent | 0aae87b43d98864ac48560f16e74bd6d71463291 (diff) |
conntrackd: helpers: dhcpv6: Fix potential array overrun
The value dhcpv6_msg_type points at is used as index to dhcpv6_timeouts
array, so upper boundary check has to treat a value of
ARRAY_SIZE(dhcpv6_timeouts) as invalid.
Fixes: 36118bfc4901b ("conntrackd: helpers: add DHCPv6 helper")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/helpers/dhcpv6.c')
-rw-r--r-- | src/helpers/dhcpv6.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/helpers/dhcpv6.c b/src/helpers/dhcpv6.c index 73632ec..f87b6ce 100644 --- a/src/helpers/dhcpv6.c +++ b/src/helpers/dhcpv6.c @@ -72,7 +72,7 @@ dhcpv6_helper_cb(struct pkt_buff *pkt, uint32_t protoff, return NF_ACCEPT; dhcpv6_msg_type = pktb_network_header(pkt) + protoff + sizeof(struct udphdr); - if (*dhcpv6_msg_type > ARRAY_SIZE(dhcpv6_timeouts)) { + if (*dhcpv6_msg_type >= ARRAY_SIZE(dhcpv6_timeouts)) { printf("Dropping DHCPv6 message with bad type %u\n", *dhcpv6_msg_type); return NF_DROP; |