[PATCH] Babel: Fix pointer arithmetic in subtlv parsing

Toke Høiland-Jørgensen toke at toke.dk
Tue Jun 13 23:01:11 CEST 2017


The subtlv parsing code was doing byte-based arithmetic with non-void pointers,
causing it to read beyond the end of the packet.

Signed-off-by: Toke Høiland-Jørgensen <toke at toke.dk>
---
 proto/babel/packets.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/proto/babel/packets.c b/proto/babel/packets.c
index 1088fab7..269f04ef 100644
--- a/proto/babel/packets.c
+++ b/proto/babel/packets.c
@@ -951,7 +951,7 @@ babel_read_subtlvs(struct babel_tlv *hdr,
   struct babel_tlv *tlv;
 
   for (tlv = (void *) hdr + state->current_tlv_endpos;
-       tlv < hdr + TLV_LENGTH(hdr);
+       (void *) tlv < (void *) hdr + TLV_LENGTH(hdr);
        tlv = NEXT_TLV(tlv))
   {
     /*
-- 
2.13.1



More information about the Bird-users mailing list