From a06dd6481cd046e4856774ac32cdc11f4bc721e2 Mon Sep 17 00:00:00 2001
From: Steven Barth <steven@midlink.org>
Date: Tue, 14 Apr 2015 10:31:10 +0200
Subject: [PATCH 1/1] Fix potential invalid memory access

---
 src/dhcpv4.c    | 2 +-
 src/dhcpv6-ia.c | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/dhcpv4.c b/src/dhcpv4.c
index 04ef182..647cdc0 100644
--- a/src/dhcpv4.c
+++ b/src/dhcpv4.c
@@ -637,7 +637,7 @@ static struct dhcpv4_assignment* dhcpv4_lease(struct interface *iface,
 	} else if (msg == DHCPV4_MSG_RELEASE) {
 		if (a && a->valid_until != LONG_MAX)
 			a->valid_until = 0;
-	} else if (msg == DHCPV4_MSG_DECLINE && a->valid_until != LONG_MAX) {
+	} else if (msg == DHCPV4_MSG_DECLINE && a && a->valid_until != LONG_MAX) {
 		memset(a->hwaddr, 0, sizeof(a->hwaddr));
 		a->valid_until = now + 3600; // Block address for 1h
 	}
diff --git a/src/dhcpv6-ia.c b/src/dhcpv6-ia.c
index de44581..1476e02 100644
--- a/src/dhcpv6-ia.c
+++ b/src/dhcpv6-ia.c
@@ -596,7 +596,10 @@ static void update(struct interface *iface)
 	}
 
 	struct dhcpv6_assignment *border = list_last_entry(&iface->ia_assignments, struct dhcpv6_assignment, head);
-	border->assigned = 1 << (64 - minprefix);
+	if (minprefix <= 32 || minprefix > 64)
+		border->assigned = 1U << (64 - minprefix);
+	else
+		border->assigned = 0;
 
 	bool change = len != (int)iface->ia_addr_len;
 	for (int i = 0; !change && i < len; ++i)
-- 
2.11.0