fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-05-14 18:58:08 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

policy: fix integer overflow in IPv6 PD subnet calculation

Browse source 
The literal `1` is a 32-bit int. When prefix length is less than 33,
the shift `(64 - plen)` exceeds 31 bits, causing undefined behavior.
Cast to guint64 (same type as `num_subnets`) to perform the shift in
64-bit arithmetic.

Found by Coverity (CID: OVERFLOW_BEFORE_WIDEN).

Fixes: ec12fcf6bf ('policy: delegate IPv6 configuration to ipv6.method=shared connections')
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
(cherry picked from commit 4565c9efe4)
This commit is contained in:
Jan Vaclav 2026-04-07 12:31:31 +02:00
parent 5fa15583e5
commit d73332cfc9
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/core/nm-policy.c
View file

@ -253,7 +253,7 @@ ip6_subnet_from_delegation(IP6PrefixDelegation *delegation, NMDevice *device)
}
/* Check for out-of-prefixes condition */
num_subnets = 1 << (64 - delegation->prefix.plen);
num_subnets = (guint64) 1 << (64 - delegation->prefix.plen);
if (nm_g_hash_table_size(delegation->map_subnet_id_to_ifindex) >= num_subnets) {
_LOGD(LOGD_IP6,
"ipv6-pd: no more prefixes in %s/%u",