[ipv6] Avoid potentially copying from a NULL pointer in ipv6_tx()

If ipv6_tx() is called with a non-NULL network device, a NULL or
unspecified source address, and a destination address which does not
match any routing table entry, then it will attempt to copy the source
address from a NULL pointer.

I don't think that there is currently any code path which could
trigger this behaviour, but we should probably ensure that it can
never happen.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/net/ipv6.c b/src/net/ipv6.c
index 771249403838621d289e68df39a454aa279e9055..3c374168cea6446bbd78c38539129e9fc29bed0a 100644 (file)
--- a/src/net/ipv6.c
+++ b/src/net/ipv6.c
@@ -515,7 +515,8 @@ static int ipv6_tx ( struct io_buffer *iobuf,
        }
        if ( sin6_src && ! IN6_IS_ADDR_UNSPECIFIED ( &sin6_src->sin6_addr ) )
                src = &sin6_src->sin6_addr;
-       memcpy ( &iphdr->src, src, sizeof ( iphdr->src ) );
+       if ( src )
+               memcpy ( &iphdr->src, src, sizeof ( iphdr->src ) );
 
        /* Fix up checksums */
        if ( trans_csum ) {