diff options
| author | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2017-06-14 12:34:43 +0200 |
|---|---|---|
| committer | Ondrej Zajicek (work) <santiago@crfreenet.org> | 2017-06-14 12:34:43 +0200 |
| commit | 5220cb63e34961b097d3bc274e394c0fa946d7d3 (patch) | |
| tree | 2b967e31a67c5ed67c942f056c7606060685ecf9 | |
| parent | 145ebfa1df9ad252af61cce01cc0f09db45f7c9d (diff) | |
Babel: Fix pointer arithmetic in subtlv parsing
The subtlv parsing code was doing byte-based arithmetic with non-void pointers,
causing it to read beyond the end of the packet.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
| -rw-r--r-- | proto/babel/packets.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/proto/babel/packets.c b/proto/babel/packets.c index 3564c703..78c133e0 100644 --- a/proto/babel/packets.c +++ b/proto/babel/packets.c @@ -943,7 +943,7 @@ babel_read_subtlvs(struct babel_tlv *hdr, struct babel_tlv *tlv; for (tlv = (void *) hdr + state->current_tlv_endpos; - tlv < hdr + TLV_LENGTH(hdr); + (void *) tlv < (void *) hdr + TLV_LENGTH(hdr); tlv = NEXT_TLV(tlv)) { /* |