From: Gert Doering <gert@greenie.muc.de>
Date: Fri, 30 Dec 2011 20:42:13 +0000 (+0100)
Subject: Fix list-overrun checks in copy_route_[ipv6_]option_list()
X-Git-Tag: v2.3-alpha1~46
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6abb6cdd46e50b61452b1b2d3d796ab0061e9128;p=thirdparty%2Fopenvpn.git

Fix list-overrun checks in copy_route_[ipv6_]option_list()

The old code checks how many items are in use(!) in the source
list, but then copies the full list over the destination memory
arena.  Check the source list *capacity*.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
---

diff --git a/route.c b/route.c
index 1f0b09677..5dfb9c786 100644
--- a/route.c
+++ b/route.c
@@ -121,8 +121,8 @@ void
 copy_route_option_list (struct route_option_list *dest, const struct route_option_list *src)
 {
   const size_t src_size = array_mult_safe (sizeof(struct route_option), src->capacity, sizeof(struct route_option_list));
-  if (src->n > dest->capacity)
-    msg (M_FATAL, PACKAGE_NAME " ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src->n, dest->capacity);
+  if (src->capacity > dest->capacity)
+    msg (M_FATAL, PACKAGE_NAME " ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src->capacity, dest->capacity);
   memcpy (dest, src, src_size);
 }
 
@@ -131,8 +131,8 @@ copy_route_ipv6_option_list (struct route_ipv6_option_list *dest,
 			     const struct route_ipv6_option_list *src)
 {
   const size_t src_size = array_mult_safe (sizeof(struct route_ipv6_option), src->capacity, sizeof(struct route_ipv6_option_list));
-  if (src->n > dest->capacity)
-    msg (M_FATAL, PACKAGE_NAME " ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src->n, dest->capacity);
+  if (src->capacity > dest->capacity)
+    msg (M_FATAL, PACKAGE_NAME " ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src->capacity, dest->capacity);
   memcpy (dest, src, src_size);
 }