ipv6: fix IPv6 processing of sessions that only have only a link-local address

Several modules assume that if ses->ipv6 is set, then
ses->ipv6->addr_list contains at least one element. But this is not
true if ipv6 was allocated by the pseudo ipdb backend of ipv6cp
(ipv6cp_opt_intfid.c). That is, if the PPP session only has an
automatic link-local address.

This leads modules like pppd-compat and dhcpv6 to access invalid memory
when trying to retrieve the IPv6 address of a PPP session.

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>

4 files changed, 4 insertions, 4 deletions

diff --git a/accel-pppd/cli/show_sessions.c b/accel-pppd/cli/show_sessions.c
index 443b186a..c725e05d 100644
--- a/accel-pppd/cli/show_sessions.c
+++ b/accel-pppd/cli/show_sessions.c
@@ -414,7 +414,7 @@ static void print_ip6(struct ap_session *ses, char *buf)
 	struct in6_addr addr;
 	char *ptr;
 
-	if (!ses->ipv6) {
+	if (!ses->ipv6 || list_empty(&ses->ipv6->addr_list)) {
 		*buf = 0;
 		return;
 	}
diff --git a/accel-pppd/extra/pppd_compat.c b/accel-pppd/extra/pppd_compat.c
index 318327e8..7c23eca0 100644
--- a/accel-pppd/extra/pppd_compat.c
+++ b/accel-pppd/extra/pppd_compat.c
@@ -622,7 +622,7 @@ static void fill_env(char **env, char *mem, struct pppd_compat_pd *pd)
 	mem += write_sz + 1;
 	++n;
 
-	if (ses->ipv6) {
+	if (ses->ipv6 && !list_empty(&ses->ipv6->addr_list)) {
 		///FIXME only first address is passed to env
 		struct ipv6db_addr_t *a = list_first_entry(&ses->ipv6->addr_list,
 							   typeof(*a), entry);
diff --git a/accel-pppd/ipv6/dhcpv6.c b/accel-pppd/ipv6/dhcpv6.c
index 84d36caa..36a5f15e 100644
--- a/accel-pppd/ipv6/dhcpv6.c
+++ b/accel-pppd/ipv6/dhcpv6.c
@@ -69,7 +69,7 @@ static void ev_ses_started(struct ap_session *ses)
 	int sock;
 	int f = 1;
 
-	if (!ses->ipv6)
+	if (!ses->ipv6 || list_empty(&ses->ipv6->addr_list))
 		return;
 
 	a = list_entry(ses->ipv6->addr_list.next, typeof(*a), entry);
diff --git a/accel-pppd/lua/session.c b/accel-pppd/lua/session.c
index 277b299f..bd98911b 100644
--- a/accel-pppd/lua/session.c
+++ b/accel-pppd/lua/session.c
@@ -197,7 +197,7 @@ static int session_ipv6(lua_State *L)
 	if (!ses)
 		return 0;
 
-	if (ses->ipv6) {
+	if (ses->ipv6 && !list_empty(&ses->ipv6->addr_list)) {
 		a = list_entry(ses->ipv6->addr_list.next, typeof(*a), entry);
 		if (a->prefix_len) {
 			build_ip6_addr(a, ses->ipv6->peer_intf_id, &addr);