From e8654e6eb4dd34896e058c13a5fd552ca18fc424 Mon Sep 17 00:00:00 2001
From: Hajime Tazaki <thehajime@gmail.com>
Date: Wed, 31 Jan 2018 13:55:36 +0900
Subject: [PATCH] lkl-upstream: fix ifgateway6 parameter handling

This commit fixes an illegal parameter handling when json config is
specified with ifgateway6, which results in memory boundary violation
with accessing exceeded index of array (i.e., the final index of u6_addr8
should be 15, not 16).

Signed-off-by: Hajime Tazaki <thehajime@gmail.com>
---
 tools/lkl/lib/net.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/tools/lkl/lib/net.c b/tools/lkl/lib/net.c
index f9faeb57509426..8cc39570d9225e 100644
--- a/tools/lkl/lib/net.c
+++ b/tools/lkl/lib/net.c
@@ -597,11 +597,11 @@ static int iproute_modify(int cmd, unsigned int flags, int ifindex, int af,
 		int rmbit = route_masklen%8;
 
 		for (i = 0; i < rmbyte; i++)
-			netaddr.in6_u.u6_addr8[16-i] = 0;
-		netaddr.in6_u.u6_addr8[16-rmbyte] =
-			(netaddr.in6_u.u6_addr8[16-rmbyte] >> rmbit);
-		netaddr.in6_u.u6_addr8[16-rmbyte] =
-			(netaddr.in6_u.u6_addr8[16-rmbyte] << rmbit);
+			netaddr.in6_u.u6_addr8[15-i] = 0;
+		netaddr.in6_u.u6_addr8[15-rmbyte] =
+			(netaddr.in6_u.u6_addr8[15-rmbyte] >> rmbit);
+		netaddr.in6_u.u6_addr8[15-rmbyte] =
+			(netaddr.in6_u.u6_addr8[15-rmbyte] << rmbit);
 		*(struct lkl_in6_addr *)route_addr = netaddr;
 		req.r.rtm_dst_len = route_masklen;
 		addattr_l(&req.n, sizeof(req), LKL_RTA_DST,