From: Michael Brown <mcb30@ipxe.org>
Date: Fri, 23 May 2014 12:47:19 +0000 (+0100)
Subject: [ipv6] Avoid potentially copying from a NULL pointer in ipv6_tx()
X-Git-Tag: v1.20.1~1164
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7627f6c071f4e67b855b02189ca1e3523a1c3bd5;p=thirdparty%2Fipxe.git

[ipv6] Avoid potentially copying from a NULL pointer in ipv6_tx()

If ipv6_tx() is called with a non-NULL network device, a NULL or
unspecified source address, and a destination address which does not
match any routing table entry, then it will attempt to copy the source
address from a NULL pointer.

I don't think that there is currently any code path which could
trigger this behaviour, but we should probably ensure that it can
never happen.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---

diff --git a/src/net/ipv6.c b/src/net/ipv6.c
index 771249403..3c374168c 100644
--- a/src/net/ipv6.c
+++ b/src/net/ipv6.c
@@ -515,7 +515,8 @@ static int ipv6_tx ( struct io_buffer *iobuf,
 	}
 	if ( sin6_src && ! IN6_IS_ADDR_UNSPECIFIED ( &sin6_src->sin6_addr ) )
 		src = &sin6_src->sin6_addr;
-	memcpy ( &iphdr->src, src, sizeof ( iphdr->src ) );
+	if ( src )
+		memcpy ( &iphdr->src, src, sizeof ( iphdr->src ) );
 
 	/* Fix up checksums */
 	if ( trans_csum ) {