Test mask length against the size of mask.s6_addr.

It's unlikely that struct in6_addr will be any bigger than mask.s6_addr,
but protect against that.

Reported by Charles Smith at Tangible Security.

diff --git a/gencode.c b/gencode.c
index 7cb211c6dd0154a99b76142a388e93bcc6fcf82f..bdc35e646e9cf9e5c75afc5b1bd486d3fbe01e40 100644 (file)
--- a/gencode.c
+++ b/gencode.c
@@ -7131,10 +7131,10 @@ gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2,
                bpf_error(cstate, "%s resolved to multiple address", s1);
        addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
 
-       if (sizeof(mask) * 8 < masklen)
-               bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
+       if (masklen > sizeof(mask.s6_addr) * 8)
+               bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask.s6_addr) * 8));
        memset(&mask, 0, sizeof(mask));
-       memset(&mask, 0xff, masklen / 8);
+       memset(&mask.s6_addr, 0xff, masklen / 8);
        if (masklen % 8) {
                mask.s6_addr[masklen / 8] =
                        (0xff << (8 - masklen % 8)) & 0xff;