From e2d17adf9fa1aa745bbc9b4b3c9415050ff86e12 Mon Sep 17 00:00:00 2001
From: david <david@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sat, 15 Sep 2012 17:17:59 +0000
Subject: [PATCH] Fix add_rtattr_addr.

The second argument to RTA_NEXT was missing a dereference, so it was
changing the pointer rather than the integer pointed to. I got this
assertion failure with an IPv6 link-local address:

nmap: netutil.cc:3048: void add_rtattr_addr(nlmsghdr*, rtattr**, unsigned int*, unsigned char, const sockaddr_storage*): Assertion `((*len) >= (int)sizeof(struct rtattr) && (*rtattr)->rta_len >= sizeof(struct rtattr) && (*rtattr)->rta_len <= (*len))' failed.
---
 libnetutil/netutil.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libnetutil/netutil.cc b/libnetutil/netutil.cc
index b578ca5a3..efbcc19e0 100644
--- a/libnetutil/netutil.cc
+++ b/libnetutil/netutil.cc
@@ -3035,7 +3035,7 @@ static void add_rtattr_addr(struct nlmsghdr *nlmsg,
   assert(RTA_OK(*rtattr, *len));
   memcpy(RTA_DATA(*rtattr), addr, addrlen);
   nlmsg->nlmsg_len = NLMSG_ALIGN(nlmsg->nlmsg_len) + (*rtattr)->rta_len;
-  *rtattr = RTA_NEXT(*rtattr, len);
+  *rtattr = RTA_NEXT(*rtattr, *len);
 
   /* Specific interface (sin6_scope_id) requested? */
   if (ifindex > 0) {
@@ -3048,7 +3048,7 @@ static void add_rtattr_addr(struct nlmsghdr *nlmsg,
     assert(RTA_OK(*rtattr, *len));
     *(uint32_t *) RTA_DATA(*rtattr) = ifindex;
     nlmsg->nlmsg_len = NLMSG_ALIGN(nlmsg->nlmsg_len) + (*rtattr)->rta_len;
-    *rtattr = RTA_NEXT(*rtattr, len);
+    *rtattr = RTA_NEXT(*rtattr, *len);
   }
 }