odhcp6c: fix possible stack corruption when parsing proc if_inet6

[project/odhcp6c.git] / src / ra.c

diff --git a/src/ra.c b/src/ra.c
index dcb3e0f0fb40e9ee9281979ebf23435e52821254..1c3896887ec9136fa21c2ad522b96fa116801070 100644 (file)
--- a/src/ra.c
+++ b/src/ra.c
@@ -55,6 +55,7 @@ static int if_index = 0;
 static char if_name[IF_NAMESIZE] = {0};
 static volatile int rs_attempt = 0;
 static struct in6_addr lladdr = IN6ADDR_ANY_INIT;
+static unsigned int ra_options = 0;
 
 struct {
        struct icmp6_hdr hdr;
@@ -67,8 +68,10 @@ struct {
 
 static void ra_send_rs(int signal __attribute__((unused)));
 
-int ra_init(const char *ifname, const struct in6_addr *ifid)
+int ra_init(const char *ifname, const struct in6_addr *ifid, unsigned int options)
 {
+       ra_options = options;
+
        const pid_t ourpid = getpid();
        sock = socket(AF_INET6, SOCK_RAW | SOCK_CLOEXEC, IPPROTO_ICMPV6);
        if (sock < 0)
@@ -274,7 +277,11 @@ bool ra_process(void)
 {
        bool found = false;
        bool changed = false;
-       uint8_t buf[1500], cmsg_buf[128];
+       uint8_t buf[1500] _aligned(4);
+       union {
+               struct cmsghdr hdr;
+               uint8_t buf[CMSG_SPACE(sizeof(int))];
+       } cmsg_buf;
        struct nd_router_advert *adv = (struct nd_router_advert*)buf;
        struct odhcp6c_entry *entry = alloca(sizeof(*entry) + 256);
        const struct in6_addr any = IN6ADDR_ANY_INIT;
@@ -301,7 +308,7 @@ bool ra_process(void)
                        .msg_namelen = sizeof(from),
                        .msg_iov = &iov,
                        .msg_iovlen = 1,
-                       .msg_control = cmsg_buf,
+                       .msg_control = cmsg_buf.buf,
                        .msg_controllen = sizeof(cmsg_buf),
                        .msg_flags = 0
                };
@@ -424,28 +431,34 @@ bool ra_process(void)
 
                                while (buf < end) {
                                        int len = dn_expand(buf, end, buf, (char*)entry->auxtarget, 256);
-                                       if (len > 0) {
-                                               buf = &buf[len];
-                                               entry->auxlen = strlen((char*)entry->auxtarget);
-                                               changed |= odhcp6c_update_entry(STATE_RA_SEARCH, entry, 0, true);
-                                               entry->auxlen = 0;
-                                       } else {
+                                       if (len < 1)
                                                break;
-                                       }
+
+                                       buf = &buf[len];
+                                       entry->auxlen = strlen((char*)entry->auxtarget);
+
+                                       if (entry->auxlen == 0)
+                                               continue;
+
+                                       changed |= odhcp6c_update_entry(STATE_RA_SEARCH, entry, 0, true);
+                                       entry->auxlen = 0;
                                }
                        }
                }
 
-               int states[2] = {STATE_RA_DNS, STATE_RA_SEARCH};
-               for (size_t i = 0; i < 2; ++i) {
-                       size_t ra_dns_len;
-                       uint8_t *start = odhcp6c_get_state(states[i], &ra_dns_len);
-                       for (struct odhcp6c_entry *c = (struct odhcp6c_entry*)start;
-                                               (uint8_t*)c < &start[ra_dns_len] && &c->auxtarget[c->auxlen] <= &start[ra_dns_len];
-                                               c = (struct odhcp6c_entry*)(&c->auxtarget[c->auxlen]))
-                               if (IN6_ARE_ADDR_EQUAL(&c->router, &from.sin6_addr) &&
-                                               c->valid > router_valid)
-                                       c->valid = router_valid;
+               if (ra_options & RA_RDNSS_DEFAULT_LIFETIME) {
+                       int states[2] = {STATE_RA_DNS, STATE_RA_SEARCH};
+                       for (size_t i = 0; i < 2; ++i) {
+                               size_t ra_dns_len;
+                               uint8_t *start = odhcp6c_get_state(states[i], &ra_dns_len);
+                               for (struct odhcp6c_entry *c = (struct odhcp6c_entry*)start;
+                                                       (uint8_t*)c < &start[ra_dns_len] &&
+                                                       (uint8_t*)odhcp6c_next_entry(c) <= &start[ra_dns_len];
+                                                       c = odhcp6c_next_entry(c))
+                                       if (IN6_ARE_ADDR_EQUAL(&c->router, &from.sin6_addr) &&
+                                                       c->valid > router_valid)
+                                               c->valid = router_valid;
+                       }
                }
        }