X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;ds=sidebyside;f=src%2Fscript.c;h=5955e940f075b9879609d3314377bfad0f7c0909;hb=1801580e39ceac0d7fec7adef892763c4da56906;hp=89cb0d69eab831fea854b71e6165552f4b89138f;hpb=62968599557ac81b0f811481f6b06886ddcf0cdb;p=odhcp6c.git

diff --git a/src/script.c b/src/script.c
index 89cb0d6..5955e94 100644
--- a/src/script.c
+++ b/src/script.c
@@ -169,7 +169,7 @@ static void entry_to_env(const char *name, const void *data, size_t len, enum en
 		buf_len += strlen(&buf[buf_len]);
 		if (type != ENTRY_HOST) {
 			snprintf(&buf[buf_len], 6, "/%"PRIu16, e[i].length);
-			buf += strlen(&buf[buf_len]);
+			buf_len += strlen(&buf[buf_len]);
 			if (type == ENTRY_ROUTE) {
 				buf[buf_len++] = ',';
 				if (!IN6_IS_ADDR_UNSPECIFIED(&e[i].router)) {
@@ -177,15 +177,15 @@ static void entry_to_env(const char *name, const void *data, size_t len, enum en
 					buf_len += strlen(&buf[buf_len]);
 				}
 				snprintf(&buf[buf_len], 23, ",%u,%u", e[i].valid, e[i].priority);
-				buf += strlen(&buf[buf_len]);
+				buf_len += strlen(&buf[buf_len]);
 			} else {
 				snprintf(&buf[buf_len], 23, ",%u,%u", e[i].preferred, e[i].valid);
-				buf += strlen(&buf[buf_len]);
+				buf_len += strlen(&buf[buf_len]);
 			}
 
 			if (type == ENTRY_PREFIX && ntohl(e[i].iaid) != 1) {
 				snprintf(&buf[buf_len], 16, ",class=%08x", ntohl(e[i].iaid));
-				buf += strlen(&buf[buf_len]);
+				buf_len += strlen(&buf[buf_len]);
 			}
 
 			if (type == ENTRY_PREFIX && e[i].priority) {
@@ -282,7 +282,8 @@ static void s46_to_env(enum odhcp6c_state state, const uint8_t *data, size_t len
 			size_t prefix6len = rule->prefix6_len;
 			prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1;
 
-			if (olen < sizeof(struct dhcpv6_s46_rule) + prefix6len)
+			if (prefix6len > sizeof(in6) ||
+			    olen < sizeof(struct dhcpv6_s46_rule) + prefix6len)
 				continue;
 
 			memcpy(&in6, rule->ipv6_prefix, prefix6len);
@@ -311,7 +312,8 @@ static void s46_to_env(enum odhcp6c_state state, const uint8_t *data, size_t len
 					size_t prefix6len = dmr->dmr_prefix6_len;
 					prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1;
 
-					if (olen < sizeof(struct dhcpv6_s46_dmr) + prefix6len)
+					if (prefix6len > sizeof(in6) ||
+					    olen < sizeof(struct dhcpv6_s46_dmr) + prefix6len)
 						continue;
 
 					memcpy(&in6, dmr->dmr_ipv6_prefix, prefix6len);
@@ -330,7 +332,8 @@ static void s46_to_env(enum odhcp6c_state state, const uint8_t *data, size_t len
 			size_t prefix6len = bind->bindprefix6_len;
 			prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1;
 
-			if (olen < sizeof(struct dhcpv6_s46_v4v6bind) + prefix6len)
+			if (prefix6len > sizeof(in6) ||
+			    olen < sizeof(struct dhcpv6_s46_v4v6bind) + prefix6len)
 				continue;
 
 			memcpy(&in6, bind->bind_ipv6_prefix, prefix6len);