ipaddr: fix buffer overrun on ipv6 prefix of 128

CID 717020: Out-of-bounds read (OVERRUN)
At (3): Overrunning array "addr->__in6_u.__u6_addr8" of 16 bytes at byte offset 16 using index "prefix_len / 8U" (which evaluates to 16).

Signed-off-by: Sage Weil <sage@inktank.com>

diff --git a/src/common/ipaddr.cc b/src/common/ipaddr.cc
index d56a14f9d61851331573ef112ad09f910dae4ed2..253a7c67de773f1450e0578c8fb86da3c08a73a1 100644 (file)
--- a/src/common/ipaddr.cc
+++ b/src/common/ipaddr.cc
@@ -55,7 +55,8 @@ static void netmask_ipv6(const struct in6_addr *addr,
     prefix_len = 128;
 
   memcpy(out->s6_addr, addr->s6_addr, prefix_len/8);
-  out->s6_addr[prefix_len/8] = addr->s6_addr[prefix_len/8] & ~( 0xFF >> (prefix_len % 8) );
+  if (prefix_len < 128)
+    out->s6_addr[prefix_len/8] = addr->s6_addr[prefix_len/8] & ~( 0xFF >> (prefix_len % 8) );
   if (prefix_len/8 < 15)
     memset(out->s6_addr+prefix_len/8+1, 0, 16-prefix_len/8-1);
 }