odhcp6c: fix possible stack corruption when parsing proc if_inet6

[project/odhcp6c.git] / src / ra.c

diff --git a/src/ra.c b/src/ra.c
index 2d442f6a8bfbab096a2654317bd08fa60f113118..1c3896887ec9136fa21c2ad522b96fa116801070 100644 (file)
--- a/src/ra.c
+++ b/src/ra.c
@@ -55,6 +55,7 @@ static int if_index = 0;
 static char if_name[IF_NAMESIZE] = {0};
 static volatile int rs_attempt = 0;
 static struct in6_addr lladdr = IN6ADDR_ANY_INIT;
+static unsigned int ra_options = 0;
 
 struct {
        struct icmp6_hdr hdr;
@@ -67,8 +68,10 @@ struct {
 
 static void ra_send_rs(int signal __attribute__((unused)));
 
-int ra_init(const char *ifname, const struct in6_addr *ifid)
+int ra_init(const char *ifname, const struct in6_addr *ifid, unsigned int options)
 {
+       ra_options = options;
+
        const pid_t ourpid = getpid();
        sock = socket(AF_INET6, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_ICMPV6);
        if (sock < 0)
@@ -274,7 +277,11 @@ bool ra_process(void)
 {
        bool found = false;
        bool changed = false;
-       uint8_t buf[1500], cmsg_buf[128];
+       uint8_t buf[1500] _aligned(4);
+       union {
+               struct cmsghdr hdr;
+               uint8_t buf[CMSG_SPACE(sizeof(int))];
+       } cmsg_buf;
        struct nd_router_advert *adv = (struct nd_router_advert*)buf;
        struct odhcp6c_entry *entry = alloca(sizeof(*entry) + 256);
        const struct in6_addr any = IN6ADDR_ANY_INIT;
@@ -301,7 +308,7 @@ bool ra_process(void)
                        .msg_namelen = sizeof(from),
                        .msg_iov = &iov,
                        .msg_iovlen = 1,
-                       .msg_control = cmsg_buf,
+                       .msg_control = cmsg_buf.buf,
                        .msg_controllen = sizeof(cmsg_buf),
                        .msg_flags = 0
                };
@@ -439,17 +446,19 @@ bool ra_process(void)
                        }
                }
 
-               int states[2] = {STATE_RA_DNS, STATE_RA_SEARCH};
-               for (size_t i = 0; i < 2; ++i) {
-                       size_t ra_dns_len;
-                       uint8_t *start = odhcp6c_get_state(states[i], &ra_dns_len);
-                       for (struct odhcp6c_entry *c = (struct odhcp6c_entry*)start;
-                                               (uint8_t*)c < &start[ra_dns_len] &&
-                                               (uint8_t*)odhcp6c_next_entry(c) <= &start[ra_dns_len];
-                                               c = odhcp6c_next_entry(c))
-                               if (IN6_ARE_ADDR_EQUAL(&c->router, &from.sin6_addr) &&
-                                               c->valid > router_valid)
-                                       c->valid = router_valid;
+               if (ra_options & RA_RDNSS_DEFAULT_LIFETIME) {
+                       int states[2] = {STATE_RA_DNS, STATE_RA_SEARCH};
+                       for (size_t i = 0; i < 2; ++i) {
+                               size_t ra_dns_len;
+                               uint8_t *start = odhcp6c_get_state(states[i], &ra_dns_len);
+                               for (struct odhcp6c_entry *c = (struct odhcp6c_entry*)start;
+                                                       (uint8_t*)c < &start[ra_dns_len] &&
+                                                       (uint8_t*)odhcp6c_next_entry(c) <= &start[ra_dns_len];
+                                                       c = odhcp6c_next_entry(c))
+                                       if (IN6_ARE_ADDR_EQUAL(&c->router, &from.sin6_addr) &&
+                                                       c->valid > router_valid)
+                                               c->valid = router_valid;
+                       }
                }
        }