From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 19 Feb 2024 00:30:17 +0000 (+0900)
Subject: sd-radv: fix potential buffer overflow
X-Git-Tag: v256-rc1~819
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ac63c8df309e37960618610d8b57ac19ac657254;p=thirdparty%2Fsystemd.git

sd-radv: fix potential buffer overflow

Fixes a bug in 1925f829ab17cee7d65cc8c350d8281f8f41588e and
6a6d27bc5b08388964118e922f0c1b49b3c6a8ae (v255).
---

diff --git a/src/libsystemd-network/sd-radv.c b/src/libsystemd-network/sd-radv.c
index 511d06d8052..97d306c49b2 100644
--- a/src/libsystemd-network/sd-radv.c
+++ b/src/libsystemd-network/sd-radv.c
@@ -146,9 +146,9 @@ static int radv_send(sd_radv *ra, const struct in6_addr *dst, usec_t lifetime_us
                 .nd_opt_mtu_type = ND_OPT_MTU,
                 .nd_opt_mtu_len = 1,
         };
-        /* Reserve iov space for RA header, linkaddr, MTU, N prefixes, N routes, RDNSS
-           and DNSSL */
-        struct iovec iov[5 + ra->n_prefixes + ra->n_route_prefixes];
+        /* Reserve iov space for RA header, linkaddr, MTU, N prefixes, N routes, N pref64 prefixes, RDNSS,
+         * DNSSL, and home agent. */
+        struct iovec iov[6 + ra->n_prefixes + ra->n_route_prefixes + ra->n_pref64_prefixes];
         struct msghdr msg = {
                 .msg_name = &dst_addr,
                 .msg_namelen = sizeof(dst_addr),