From d73332cfc965ad50b2fc31fa25a09e5aebbb9b04 Mon Sep 17 00:00:00 2001
From: Jan Vaclav <jvaclav@redhat.com>
Date: Tue, 7 Apr 2026 12:31:31 +0200
Subject: [PATCH] policy: fix integer overflow in IPv6 PD subnet calculation

The literal `1` is a 32-bit int. When prefix length is less than 33,
the shift `(64 - plen)` exceeds 31 bits, causing undefined behavior.
Cast to guint64 (same type as `num_subnets`) to perform the shift in
64-bit arithmetic.

Found by Coverity (CID: OVERFLOW_BEFORE_WIDEN).

Fixes: ec12fcf6bf4f ('policy: delegate IPv6 configuration to ipv6.method=shared connections')
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
(cherry picked from commit 4565c9efe4a4866dc0a3394276a20adb2a3bdb90)
---
 src/core/nm-policy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/core/nm-policy.c b/src/core/nm-policy.c
index f7be1a9f87..6685f8c19b 100644
--- a/src/core/nm-policy.c
+++ b/src/core/nm-policy.c
@@ -253,7 +253,7 @@ ip6_subnet_from_delegation(IP6PrefixDelegation *delegation, NMDevice *device)
     }
 
     /* Check for out-of-prefixes condition */
-    num_subnets = 1 << (64 - delegation->prefix.plen);
+    num_subnets = (guint64) 1 << (64 - delegation->prefix.plen);
     if (nm_g_hash_table_size(delegation->map_subnet_id_to_ifindex) >= num_subnets) {
         _LOGD(LOGD_IP6,
               "ipv6-pd: no more prefixes in %s/%u",