Fix list-overrun checks in copy_route_[ipv6_]option_list()

The old code checks how many items are in use(!) in the source
list, but then copies the full list over the destination memory
arena.  Check the source list *capacity*.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

diff --git a/route.c b/route.c
index 1f0b096775f4980e99fa2a76fc4e7b312b621d1a..5dfb9c78614ed013b7a981ce721f845211ca4d0c 100644 (file)
--- a/route.c
+++ b/route.c
@@ -121,8 +121,8 @@ void
 copy_route_option_list (struct route_option_list *dest, const struct route_option_list *src)
 {
   const size_t src_size = array_mult_safe (sizeof(struct route_option), src->capacity, sizeof(struct route_option_list));
-  if (src->n > dest->capacity)
-    msg (M_FATAL, PACKAGE_NAME " ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src->n, dest->capacity);
+  if (src->capacity > dest->capacity)
+    msg (M_FATAL, PACKAGE_NAME " ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src->capacity, dest->capacity);
   memcpy (dest, src, src_size);
 }
 
@@ -131,8 +131,8 @@ copy_route_ipv6_option_list (struct route_ipv6_option_list *dest,
                             const struct route_ipv6_option_list *src)
 {
   const size_t src_size = array_mult_safe (sizeof(struct route_ipv6_option), src->capacity, sizeof(struct route_ipv6_option_list));
-  if (src->n > dest->capacity)
-    msg (M_FATAL, PACKAGE_NAME " ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src->n, dest->capacity);
+  if (src->capacity > dest->capacity)
+    msg (M_FATAL, PACKAGE_NAME " ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src->capacity, dest->capacity);
   memcpy (dest, src, src_size);
 }