Fix regression in entry_to_env()

[odhcp6c.git] / src / script.c

diff --git a/src/script.c b/src/script.c
index 89cb0d69eab831fea854b71e6165552f4b89138f..5955e940f075b9879609d3314377bfad0f7c0909 100644 (file)
--- a/src/script.c
+++ b/src/script.c
@@ -169,7 +169,7 @@ static void entry_to_env(const char *name, const void *data, size_t len, enum en
                buf_len += strlen(&buf[buf_len]);
                if (type != ENTRY_HOST) {
                        snprintf(&buf[buf_len], 6, "/%"PRIu16, e[i].length);
-                       buf += strlen(&buf[buf_len]);
+                       buf_len += strlen(&buf[buf_len]);
                        if (type == ENTRY_ROUTE) {
                                buf[buf_len++] = ',';
                                if (!IN6_IS_ADDR_UNSPECIFIED(&e[i].router)) {
@@ -177,15 +177,15 @@ static void entry_to_env(const char *name, const void *data, size_t len, enum en
                                        buf_len += strlen(&buf[buf_len]);
                                }
                                snprintf(&buf[buf_len], 23, ",%u,%u", e[i].valid, e[i].priority);
-                               buf += strlen(&buf[buf_len]);
+                               buf_len += strlen(&buf[buf_len]);
                        } else {
                                snprintf(&buf[buf_len], 23, ",%u,%u", e[i].preferred, e[i].valid);
-                               buf += strlen(&buf[buf_len]);
+                               buf_len += strlen(&buf[buf_len]);
                        }
 
                        if (type == ENTRY_PREFIX && ntohl(e[i].iaid) != 1) {
                                snprintf(&buf[buf_len], 16, ",class=%08x", ntohl(e[i].iaid));
-                               buf += strlen(&buf[buf_len]);
+                               buf_len += strlen(&buf[buf_len]);
                        }
 
                        if (type == ENTRY_PREFIX && e[i].priority) {
@@ -282,7 +282,8 @@ static void s46_to_env(enum odhcp6c_state state, const uint8_t *data, size_t len
                        size_t prefix6len = rule->prefix6_len;
                        prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1;
 
-                       if (olen < sizeof(struct dhcpv6_s46_rule) + prefix6len)
+                       if (prefix6len > sizeof(in6) ||
+                           olen < sizeof(struct dhcpv6_s46_rule) + prefix6len)
                                continue;
 
                        memcpy(&in6, rule->ipv6_prefix, prefix6len);
@@ -311,7 +312,8 @@ static void s46_to_env(enum odhcp6c_state state, const uint8_t *data, size_t len
                                        size_t prefix6len = dmr->dmr_prefix6_len;
                                        prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1;
 
-                                       if (olen < sizeof(struct dhcpv6_s46_dmr) + prefix6len)
+                                       if (prefix6len > sizeof(in6) ||
+                                           olen < sizeof(struct dhcpv6_s46_dmr) + prefix6len)
                                                continue;
 
                                        memcpy(&in6, dmr->dmr_ipv6_prefix, prefix6len);
@@ -330,7 +332,8 @@ static void s46_to_env(enum odhcp6c_state state, const uint8_t *data, size_t len
                        size_t prefix6len = bind->bindprefix6_len;
                        prefix6len = (prefix6len % 8 == 0) ? prefix6len / 8 : prefix6len / 8 + 1;
 
-                       if (olen < sizeof(struct dhcpv6_s46_v4v6bind) + prefix6len)
+                       if (prefix6len > sizeof(in6) ||
+                           olen < sizeof(struct dhcpv6_s46_v4v6bind) + prefix6len)
                                continue;
 
                        memcpy(&in6, bind->bind_ipv6_prefix, prefix6len);