From 73660f779b3e50bd941ef63f9eb43ba6aeb9c5c3 Mon Sep 17 00:00:00 2001
From: Ivan Delamer <delamer@inicotech.com>
Date: Tue, 5 May 2015 13:26:17 -0600
Subject: [PATCH] changes to ip6addr_aton() to avoid crash with some
 ill-formatted strings.

---
 src/core/ipv6/ip6_addr.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/core/ipv6/ip6_addr.c b/src/core/ipv6/ip6_addr.c
index 4fcee07c..d85be6b8 100644
--- a/src/core/ipv6/ip6_addr.c
+++ b/src/core/ipv6/ip6_addr.c
@@ -104,10 +104,12 @@ ip6addr_aton(const char *cp, ip6_addr_t *addr)
       if (current_block_index > 7) {
         /* address too long! */
         return 0;
-      } if (s[1] == ':') {
+      }
+      if (s[1] == ':') {
         s++;
         /* "::" found, set zeros */
-        while (zero_blocks-- > 0) {
+        while (zero_blocks > 0) {
+          zero_blocks--;
           if (current_block_index & 0x1) {
             addr_index++;
           }
@@ -117,6 +119,10 @@ ip6addr_aton(const char *cp, ip6_addr_t *addr)
             }
           }
           current_block_index++;
+          if (current_block_index > 7) {
+            /* address too long! */
+            return 0;
+          }
         }
       }
     } else if (isxdigit(*s)) {