From 520a103a0ece554c8d6ce54ed2d28f578d74de98 Mon Sep 17 00:00:00 2001
From: Matthew Iselin <matthew@theiselins.net>
Date: Thu, 2 Jun 2011 23:14:37 +1000
Subject: [PATCH] [ipv6] Verify validity of IPv6 address in inet6_aton

Signed-off-by: Matthew Iselin <matthew@theiselins.net>
Signed-off-by: Marty Connor <mdc@etherboot.org>
---
 src/net/ipv6.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/net/ipv6.c b/src/net/ipv6.c
index 489db44f..97665b8a 100644
--- a/src/net/ipv6.c
+++ b/src/net/ipv6.c
@@ -499,13 +499,34 @@ char * inet6_ntoa ( struct in6_addr in6 ) {
 int inet6_aton ( const char *cp, struct in6_addr *inp ) {
 	char convbuf[40];
 	char *tmp = convbuf, *next = convbuf;
-	size_t i = 0;
+	size_t i = 0, len = strlen ( cp );
+	int ok;
+	char c;
+	
+	/* Verify a valid address. */
+	if ( ! len ) {
+		return 0;
+	}
+	
+	for ( ; i < len; i++ ) {
+		c = cp[i];
+		
+		ok = c == ':';
+		ok = ok || ( ( c >= '0' ) && ( c <= '9' ) );
+		ok = ok || ( ( c >= 'a' ) && ( c <= 'f' ) );
+		ok = ok || ( ( c >= 'A' ) && ( c <= 'F' ) );
+		
+		if ( ! ok ) {
+			return 0;
+		}
+	}
 	
 	strcpy ( convbuf, cp );
 	
 	DBG ( "ipv6 converting %s to an in6_addr\n", cp );
 	
 	/* Handle the first part of the address (or all of it if no zero-compression. */
+	i = 0;
 	while ( ( next = strchr ( next, ':' ) ) ) {
 		/* Cater for zero-compression. */
 		if ( *tmp == ':' )
-- 
2.11.4.GIT