From 2a3066558ad34a1a90bddddcf9a3ddbc22cc2e2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20G=C3=B6rig?= <jgorig@fedoraproject.org>
Date: Wed, 13 Jan 2010 14:22:11 +0000
Subject: [PATCH] - updated to latest upstream version - fixed #554125 - added
 error message

---
 radvd-1.5-overflow.patch | 100 +++++++++++++++++++++++++++++++++++++++
 radvd.spec               |  10 +++-
 2 files changed, 108 insertions(+), 2 deletions(-)
 create mode 100644 radvd-1.5-overflow.patch

diff --git a/radvd-1.5-overflow.patch b/radvd-1.5-overflow.patch
new file mode 100644
index 0000000..ca77f2a
--- /dev/null
+++ b/radvd-1.5-overflow.patch
@@ -0,0 +1,100 @@
+diff -up radvd-1.5/send.c.patch radvd-1.5/send.c
+--- radvd-1.5/send.c.patch	2009-09-07 09:59:57.000000000 +0200
++++ radvd-1.5/send.c	2010-01-13 14:54:18.634775543 +0100
+@@ -66,6 +66,17 @@ send_ra_forall(int sock, struct Interfac
+ 	return 0;
+ }
+ 
++static void
++send_ra_inc_len(size_t *len, int add)
++{
++	*len += add;
++	if(*len >= MSG_SIZE)
++	{
++		flog(LOG_ERR, "Too many prefixes or routes. Exiting.");
++		exit(1);
++	}
++}
++
+ int
+ send_ra(int sock, struct Interface *iface, struct in6_addr *dest)
+ {
+@@ -80,9 +91,7 @@ send_ra(int sock, struct Interface *ifac
+ 	struct AdvPrefix *prefix;
+ 	struct AdvRoute *route;
+ 	struct AdvRDNSS *rdnss;
+-	/* XXX: we don't keep track if buff gets overflowed.  In theory the sysadmin could
+-	   do that with e.g., too many advertised prefixes or routes, but buff is just so
+-	   large that this should never happen and if it does, it's admin's fault :-)  */
++
+ 	unsigned char buff[MSG_SIZE];
+ 	size_t len = 0;
+ 	ssize_t err;
+@@ -193,7 +202,7 @@ send_ra(int sock, struct Interface *ifac
+ 			memcpy(&pinfo->nd_opt_pi_prefix, &prefix->Prefix,
+ 			       sizeof(struct in6_addr));
+ 
+-			len += sizeof(*pinfo);
++			send_ra_inc_len(&len, sizeof(*pinfo));
+ 		}
+ 
+ 		prefix = prefix->next;
+@@ -222,7 +231,7 @@ send_ra(int sock, struct Interface *ifac
+ 			
+ 		memcpy(&rinfo->nd_opt_ri_prefix, &route->Prefix,
+ 		       sizeof(struct in6_addr));
+-		len += sizeof(*rinfo);
++		send_ra_inc_len(&len, sizeof(*rinfo));
+ 
+ 		route = route->next;
+ 	}
+@@ -254,7 +263,7 @@ send_ra(int sock, struct Interface *ifac
+ 		       sizeof(struct in6_addr));
+ 		memcpy(&rdnssinfo->nd_opt_rdnssi_addr3, &rdnss->AdvRDNSSAddr3,
+ 		       sizeof(struct in6_addr));
+-		len += sizeof(*rdnssinfo) - (3-rdnss->AdvRDNSSNumber)*sizeof(struct in6_addr);
++		send_ra_inc_len(&len, sizeof(*rdnssinfo) - (3-rdnss->AdvRDNSSNumber)*sizeof(struct in6_addr));
+ 
+ 		rdnss = rdnss->next;
+ 	}
+@@ -273,7 +282,7 @@ send_ra(int sock, struct Interface *ifac
+ 		mtu->nd_opt_mtu_reserved = 0; 
+ 		mtu->nd_opt_mtu_mtu      = htonl(iface->AdvLinkMTU);
+ 
+-		len += sizeof(*mtu);
++		send_ra_inc_len(&len, sizeof(*mtu));
+ 	}
+ 
+ 	/*
+@@ -290,11 +299,11 @@ send_ra(int sock, struct Interface *ifac
+ 		*ucp++  = ND_OPT_SOURCE_LINKADDR;
+ 		*ucp++  = (uint8_t) ((iface->if_hwaddr_len + 16 + 63) >> 6);
+ 
+-		len += 2 * sizeof(uint8_t);
++		send_ra_inc_len(&len, 2 * sizeof(uint8_t));
+ 
+ 		i = (iface->if_hwaddr_len + 7) >> 3;
+ 		memcpy(buff + len, iface->if_hwaddr, i);
+-		len += i;
++		send_ra_inc_len(&len, i);
+ 	}
+ 
+ 	/*
+@@ -320,7 +329,7 @@ send_ra(int sock, struct Interface *ifac
+ 		a_ival.adv_ival	= htonl(ival);
+ 
+ 		memcpy(buff + len, &a_ival, sizeof(a_ival));
+-		len += sizeof(a_ival);
++		send_ra_inc_len(&len, sizeof(a_ival));
+ 	}
+ 
+ 	/*
+@@ -342,7 +351,7 @@ send_ra(int sock, struct Interface *ifac
+ 		ha_info.lifetime	= htons(iface->HomeAgentLifetime);
+ 
+ 		memcpy(buff + len, &ha_info, sizeof(ha_info));
+-		len += sizeof(ha_info);
++		send_ra_inc_len(&len, sizeof(ha_info));
+ 	}
+ 	
+ 	iov.iov_len  = len;
diff --git a/radvd.spec b/radvd.spec
index cfa3f02..ea09e44 100644
--- a/radvd.spec
+++ b/radvd.spec
@@ -4,8 +4,8 @@
 %define RADVD_UID 75
 Summary:    A Router Advertisement daemon
 Name:       radvd
-Version:    1.3
-Release:    4%{?dist}
+Version:    1.5
+Release:    1%{?dist}
 # The code includes the advertising clause, so it's GPL-incompatible
 License:    BSD with advertising
 Group:      System Environment/Daemons
@@ -18,6 +18,7 @@ Requires(pre):      /usr/sbin/useradd
 BuildRequires:      flex, byacc
 BuildRoot:          %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Patch1:  radvd-1.3-posix.patch
+Patch2:  radvd-1.5-overflow.patch
 
 %description
 radvd is the router advertisement daemon for IPv6.  It listens to router
@@ -34,6 +35,7 @@ services.
 %setup -q
 
 %patch1 -p1 -b .posix
+%patch2 -p1 -b .overflow
 
 %build
 export CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -fPIE" 
@@ -95,6 +97,10 @@ fi
 %{_sbindir}/radvdump
 
 %changelog
+* Wed Jan 13 2010 Jan Gorig <jgorig@redhat.com> - 1.5-1
+- updated do latest upstream version
+- fixed #554125 - added error message
+
 * Sun Oct 18 2009 Jiri Skala <jskala@redhat.com> - 1.3-4
 - fixed #528178 - added force-reload