From: Ondrej Zajicek (work) <santiago@crfreenet.org>
Date: Wed, 14 Jun 2017 10:34:43 +0000 (+0200)
Subject: Babel: Fix pointer arithmetic in subtlv parsing
X-Git-Tag: v2.0.0~62
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5220cb63e34961b097d3bc274e394c0fa946d7d3;p=thirdparty%2Fbird.git

Babel: Fix pointer arithmetic in subtlv parsing

The subtlv parsing code was doing byte-based arithmetic with non-void pointers,
causing it to read beyond the end of the packet.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
---

diff --git a/proto/babel/packets.c b/proto/babel/packets.c
index 3564c703c..78c133e0f 100644
--- a/proto/babel/packets.c
+++ b/proto/babel/packets.c
@@ -943,7 +943,7 @@ babel_read_subtlvs(struct babel_tlv *hdr,
   struct babel_tlv *tlv;
 
   for (tlv = (void *) hdr + state->current_tlv_endpos;
-       tlv < hdr + TLV_LENGTH(hdr);
+       (void *) tlv < (void *) hdr + TLV_LENGTH(hdr);
        tlv = NEXT_TLV(tlv))
   {
     /*