diff options
| author | Michael Brown | 2014-05-23 14:47:19 +0200 |
|---|---|---|
| committer | Michael Brown | 2014-05-23 15:11:17 +0200 |
| commit | 7627f6c071f4e67b855b02189ca1e3523a1c3bd5 (patch) | |
| tree | 110593ba88205b542ac7168007a6ccacc4b6d861 /src/net/ipv6.c | |
| parent | [ipv6] Include network device when transcribing multicast addresses (diff) | |
| download | ipxe-7627f6c071f4e67b855b02189ca1e3523a1c3bd5.tar.gz ipxe-7627f6c071f4e67b855b02189ca1e3523a1c3bd5.tar.xz ipxe-7627f6c071f4e67b855b02189ca1e3523a1c3bd5.zip | |
[ipv6] Avoid potentially copying from a NULL pointer in ipv6_tx()
If ipv6_tx() is called with a non-NULL network device, a NULL or
unspecified source address, and a destination address which does not
match any routing table entry, then it will attempt to copy the source
address from a NULL pointer.
I don't think that there is currently any code path which could
trigger this behaviour, but we should probably ensure that it can
never happen.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/net/ipv6.c')
| -rw-r--r-- | src/net/ipv6.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/net/ipv6.c b/src/net/ipv6.c index 77124940..3c374168 100644 --- a/src/net/ipv6.c +++ b/src/net/ipv6.c @@ -515,7 +515,8 @@ static int ipv6_tx ( struct io_buffer *iobuf, } if ( sin6_src && ! IN6_IS_ADDR_UNSPECIFIED ( &sin6_src->sin6_addr ) ) src = &sin6_src->sin6_addr; - memcpy ( &iphdr->src, src, sizeof ( iphdr->src ) ); + if ( src ) + memcpy ( &iphdr->src, src, sizeof ( iphdr->src ) ); /* Fix up checksums */ if ( trans_csum ) { |