- fixed a potential NULL pointer access (Bug-ID: 1848304) - used a val_statefuladdr, instead of val_prefix, to access an address in IA in DHCP DECLINE handling.

3 files changed, 17 insertions, 9 deletions

diff --git a/CHANGES b/CHANGES
index d733347..5c78623 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
 2008-05-01  SUZUKI, Shinsuke <suz@kame.net>
 	* common.c: fixed a memory leak (Bug-ID: 1847587)
-
+	* dhcp6s.c: fixed a potential NULL pointer access (Bug-ID: 1848304).
+		    used a val_statefuladdr, instead of val_prefix, to access 
+		    an address in IA in DHCP DECLINE handling.
 2007-12-06  SUZUKI, Shinsuke <suz@kame.net>
 	* common.c: fixed a possible memory leak. (Bug-ID 1844676)
 	* common.c: fixed a possible double free. (Bug-ID 1844683)
diff --git a/addrconf.c b/addrconf.c
index dfc560e..d98373f 100644
--- a/addrconf.c
+++ b/addrconf.c
@@ -87,7 +87,7 @@ struct statefuladdr {
 
 static struct statefuladdr *find_addr __P((struct statefuladdr_list *,
     struct dhcp6_statefuladdr *));
-static void remove_addr __P((struct statefuladdr *));
+static int remove_addr __P((struct statefuladdr *));
 static int isvalid_addr __P((struct iactl *));
 static u_int32_t duration_addr __P((struct iactl *));
 static void cleanup_addr __P((struct iactl *));
@@ -174,7 +174,8 @@ update_address(ia, addr, dhcpifp, ctlp, callback)
 	    in6addr2str(&addr->addr, 0), addr->pltime, addr->vltime);
 
 	if (sa->addr.vltime != 0)
-		na_ifaddrconf(IFADDRCONF_ADD, sa);
+		if (na_ifaddrconf(IFADDRCONF_ADD, sa) < 0)
+			return (-1);
 
 	/*
 	 * If the new vltime is 0, this address immediately expires.
@@ -182,7 +183,8 @@ update_address(ia, addr, dhcpifp, ctlp, callback)
 	 */
 	switch (sa->addr.vltime) {
 	case 0:
-		remove_addr(sa);
+		if (remove_addr(sa) < 0)
+			return (-1);
 		break;
 	case DHCP6_DURATION_INFINITE:
 		if (sa->timer)
@@ -225,10 +227,12 @@ find_addr(head, addr)
 	return (NULL);
 }
 
-static void
+static int
 remove_addr(sa)
 	struct statefuladdr *sa;
 {
+	int ret;
+
 	dprintf(LOG_DEBUG, FNAME, "remove an address %s",
 	    in6addr2str(&sa->addr.addr, 0));
 
@@ -236,8 +240,10 @@ remove_addr(sa)
 		dhcp6_remove_timer(&sa->timer);
 
 	TAILQ_REMOVE(&sa->ctl->statefuladdr_head, sa, link);
-	na_ifaddrconf(IFADDRCONF_REMOVE, sa);
+	ret = na_ifaddrconf(IFADDRCONF_REMOVE, sa);
 	free(sa);
+
+	return (ret);
 }
 
 static int
diff --git a/dhcp6s.c b/dhcp6s.c
index 70f8860..94729da 100644
--- a/dhcp6s.c
+++ b/dhcp6s.c
@@ -2654,14 +2654,14 @@ decline_binding_ia(iap, retlist, optinfo)
 		if ((lvia = find_binding_ia(lv, binding)) == NULL) {
 			dprintf(LOG_DEBUG, FNAME, "no binding found "
 			    "for address %s",
-			    in6addr2str(&lvia->val_prefix6.addr, 0));
+			    in6addr2str(&lv->val_statefuladdr6.addr, 0));
 			continue;
 		}
 
 		dprintf(LOG_DEBUG, FNAME,
 		    "bound address %s has been marked as declined",
-		    in6addr2str(&lvia->val_prefix6.addr, 0));
-		decline_address(&lvia->val_prefix6.addr);
+		    in6addr2str(&lvia->val_statefuladdr6.addr, 0));
+		decline_address(&lvia->val_statefuladdr6.addr);
 
 		TAILQ_REMOVE(&binding->val_list, lvia, link);
 		dhcp6_clear_listval(lvia);