ead: fix array overrun

[openwrt.git] / package / ead / src / ead.c

diff --git a/package/ead/src/ead.c b/package/ead/src/ead.c
index b6a9310f0fb3382d76ec109524d23806c1b1d49a..6a01ea42dd6198603d425d19f01ebd895ea94fd2 100644 (file)
--- a/package/ead/src/ead.c
+++ b/package/ead/src/ead.c
@@ -250,7 +250,7 @@ ead_send_packet_clone(struct ead_packet *pkt)
        len = sizeof(struct ead_packet) - sizeof(struct ether_header) + ntohl(pktbuf->msg.len);
        pktbuf->len[0] = len >> 8;
        pktbuf->len[1] = len & 0xff;
-       memcpy(pktbuf->srcipaddr, pkt->destipaddr, 4);
+       memcpy(pktbuf->srcipaddr, &pkt->msg.ip, 4);
        memcpy(pktbuf->destipaddr, pkt->srcipaddr, 4);
 
        /* ip checksum */
@@ -344,7 +344,7 @@ handle_set_username(struct ead_packet *pkt, int len, int *nstate)
 
        set_state(EAD_TYPE_SET_USERNAME); /* clear old state */
        strncpy(username, user->username, sizeof(username));
-       username[sizeof(username)] = 0;
+       username[sizeof(username) - 1] = 0;
 
        msg = &pktbuf->msg;
        msg->len = 0;