diff options
author | SUZUKI, Shinsuke <suz@kame.net> | 2008-05-01 03:29:30 +0000 |
---|---|---|
committer | Bjørn Mork <bjorn@mork.no> | 2010-08-06 15:37:37 +0200 |
commit | 959d5858478218bc2da84c4cee4cf25727ae1ff6 (patch) | |
tree | f44126795237139679ca60dcf9112c117655c463 | |
parent | bb3f33b3fb288b788cc87c8f06fb2511ca051cb9 (diff) |
- fixed a potential NULL pointer access (Bug-ID: 1848304) - used a val_statefuladdr, instead of val_prefix, to access an address in IA in DHCP DECLINE handling.
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | addrconf.c | 16 | ||||
-rw-r--r-- | dhcp6s.c | 6 |
3 files changed, 17 insertions, 9 deletions
@@ -1,6 +1,8 @@ 2008-05-01 SUZUKI, Shinsuke <suz@kame.net> * common.c: fixed a memory leak (Bug-ID: 1847587) - + * dhcp6s.c: fixed a potential NULL pointer access (Bug-ID: 1848304). + used a val_statefuladdr, instead of val_prefix, to access + an address in IA in DHCP DECLINE handling. 2007-12-06 SUZUKI, Shinsuke <suz@kame.net> * common.c: fixed a possible memory leak. (Bug-ID 1844676) * common.c: fixed a possible double free. (Bug-ID 1844683) @@ -87,7 +87,7 @@ struct statefuladdr { static struct statefuladdr *find_addr __P((struct statefuladdr_list *, struct dhcp6_statefuladdr *)); -static void remove_addr __P((struct statefuladdr *)); +static int remove_addr __P((struct statefuladdr *)); static int isvalid_addr __P((struct iactl *)); static u_int32_t duration_addr __P((struct iactl *)); static void cleanup_addr __P((struct iactl *)); @@ -174,7 +174,8 @@ update_address(ia, addr, dhcpifp, ctlp, callback) in6addr2str(&addr->addr, 0), addr->pltime, addr->vltime); if (sa->addr.vltime != 0) - na_ifaddrconf(IFADDRCONF_ADD, sa); + if (na_ifaddrconf(IFADDRCONF_ADD, sa) < 0) + return (-1); /* * If the new vltime is 0, this address immediately expires. @@ -182,7 +183,8 @@ update_address(ia, addr, dhcpifp, ctlp, callback) */ switch (sa->addr.vltime) { case 0: - remove_addr(sa); + if (remove_addr(sa) < 0) + return (-1); break; case DHCP6_DURATION_INFINITE: if (sa->timer) @@ -225,10 +227,12 @@ find_addr(head, addr) return (NULL); } -static void +static int remove_addr(sa) struct statefuladdr *sa; { + int ret; + dprintf(LOG_DEBUG, FNAME, "remove an address %s", in6addr2str(&sa->addr.addr, 0)); @@ -236,8 +240,10 @@ remove_addr(sa) dhcp6_remove_timer(&sa->timer); TAILQ_REMOVE(&sa->ctl->statefuladdr_head, sa, link); - na_ifaddrconf(IFADDRCONF_REMOVE, sa); + ret = na_ifaddrconf(IFADDRCONF_REMOVE, sa); free(sa); + + return (ret); } static int @@ -2654,14 +2654,14 @@ decline_binding_ia(iap, retlist, optinfo) if ((lvia = find_binding_ia(lv, binding)) == NULL) { dprintf(LOG_DEBUG, FNAME, "no binding found " "for address %s", - in6addr2str(&lvia->val_prefix6.addr, 0)); + in6addr2str(&lv->val_statefuladdr6.addr, 0)); continue; } dprintf(LOG_DEBUG, FNAME, "bound address %s has been marked as declined", - in6addr2str(&lvia->val_prefix6.addr, 0)); - decline_address(&lvia->val_prefix6.addr); + in6addr2str(&lvia->val_statefuladdr6.addr, 0)); + decline_address(&lvia->val_statefuladdr6.addr); TAILQ_REMOVE(&binding->val_list, lvia, link); dhcp6_clear_listval(lvia); |