Fix 4-byte overflow in ipv6_writemask.

This bug could cause some IPv6 table prefix delete requests to fail. Obtained from: Yandex LLC
svn path=/head/; revision=301440
2024-12-04 08:09:08 +00:00 · 2016-06-05 10:33:53 +00:00 · 2016-06-05 10:33:53 +00:00 · 37aefa2ad1 · 2020-12-20 02:59:44 +00:00
commit 37aefa2ad1
parent 912517a7d4
1 changed files with 2 additions and 1 deletions
--- a/sys/netpfil/ipfw/ip_fw_table_algo.c
+++ b/sys/netpfil/ipfw/ip_fw_table_algo.c
@ -590,7 +590,8 @@ ipv6_writemask(struct in6_addr *addr6, uint8_t mask)

 	for (cp = (uint32_t *)addr6; mask >= 32; mask -= 32)
 		*cp++ = 0xFFFFFFFF;
-	*cp = htonl(mask ? ~((1 << (32 - mask)) - 1) : 0);
+	if (mask > 0)
+		*cp = htonl(mask ? ~((1 << (32 - mask)) - 1) : 0);
 }
 #endif