From 1bcea4cf9cf1da68dd5875589a9d434abd9d321f Mon Sep 17 00:00:00 2001
From: matthew <matthew@openbsd.org>
Date: Mon, 2 Aug 2010 10:30:00 +0000
Subject: [PATCH] Prevent illegal struct casting by moving AF_INET/AF_INET6
 address family checks before calling ifatoia/ifatoia6.

ok deraadt@, dlg@, mcbride@
---
 sys/netinet/ip_carp.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/sys/netinet/ip_carp.c b/sys/netinet/ip_carp.c
index 0ba78e71bf3..f368d9f83c8 100644
--- a/sys/netinet/ip_carp.c
+++ b/sys/netinet/ip_carp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_carp.c,v 1.176 2010/07/20 15:36:03 matthew Exp $	*/
+/*	$OpenBSD: ip_carp.c,v 1.177 2010/08/02 10:30:00 matthew Exp $	*/
 
 /*
  * Copyright (c) 2002 Michael Shalayeff. All rights reserved.
@@ -320,9 +320,10 @@ carp_hmac_prepare_ctx(struct carp_vhost_entry *vhe, u_int8_t ctx)
 		last = cur;
 		cur.s_addr = 0xffffffff;
 		TAILQ_FOREACH(ifa, &sc->sc_if.if_addrlist, ifa_list) {
+			if (ifa->ifa_addr->sa_family != AF_INET)
+				continue;
 			in.s_addr = ifatoia(ifa)->ia_addr.sin_addr.s_addr;
-			if (ifa->ifa_addr->sa_family == AF_INET &&
-			    ntohl(in.s_addr) > ntohl(last.s_addr) &&
+			if (ntohl(in.s_addr) > ntohl(last.s_addr) &&
 			    ntohl(in.s_addr) < ntohl(cur.s_addr)) {
 				cur.s_addr = in.s_addr;
 				found++;
@@ -340,14 +341,15 @@ carp_hmac_prepare_ctx(struct carp_vhost_entry *vhe, u_int8_t ctx)
 		last6 = cur6;
 		memset(&cur6, 0xff, sizeof(cur6));
 		TAILQ_FOREACH(ifa, &sc->sc_if.if_addrlist, ifa_list) {
+			if (ifa->ifa_addr->sa_family != AF_INET6)
+				continue;
 			in6 = ifatoia6(ifa)->ia_addr.sin6_addr;
 			if (IN6_IS_SCOPE_EMBED(&in6)) {
 				if (ctx == HMAC_NOV6LL)
 					continue;
 				in6.s6_addr16[1] = 0;
 			}
-			if (ifa->ifa_addr->sa_family == AF_INET6 &&
-			    memcmp(&in6, &last6, sizeof(in6)) > 0 &&
+			if (memcmp(&in6, &last6, sizeof(in6)) > 0 &&
 			    memcmp(&in6, &cur6, sizeof(in6)) < 0) {
 				cur6 = in6;
 				found++;
-- 
2.20.1