From a9a06712326ad69f52567cbd24c04ff1e6ab238e Mon Sep 17 00:00:00 2001 From: Benjamin Valentin Date: Tue, 11 Aug 2020 13:31:22 +0200 Subject: [PATCH 1/2] gnrc_sixlowpan_iphc: fix Out-of-bounds read Coverty scan found this: > CID 298279 (#1 of 1): Out-of-bounds read (OVERRUN) > 21. overrun-local: Overrunning array of 16 bytes at byte offset 64 by dereferencing pointer The original intention was probably to advance the destination pointer by 4 bytes, not 4 * the destination type size. --- sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c b/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c index 54cede6288..6927ea004f 100644 --- a/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c +++ b/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c @@ -417,7 +417,7 @@ static size_t _iphc_ipv6_decode(const uint8_t *iphc_hdr, ipv6_hdr->dst.u8[1] = iphc_hdr[payload_offset++]; ipv6_hdr->dst.u8[2] = iphc_hdr[payload_offset++]; ipv6_hdr->dst.u8[3] = ctx->prefix_len; - ipv6_addr_init_prefix((ipv6_addr_t *)ipv6_hdr->dst.u8 + 4, + ipv6_addr_init_prefix((ipv6_addr_t *)(ipv6_hdr->dst.u8 + 4), &ctx->prefix, ctx->prefix_len); memcpy(ipv6_hdr->dst.u8 + 12, iphc_hdr + payload_offset + 2, 4); From 2ed7f66d33b7e994d0e09bd922121588e0dfc0be Mon Sep 17 00:00:00 2001 From: Benjamin Valentin Date: Tue, 11 Aug 2020 13:33:47 +0200 Subject: [PATCH 2/2] gnrc_sixlowpan_iphc: fix last byte of iphc_hdr always being 0 Coverty scan found this: > CID 298295 (#1 of 1): Operands don't affect result (CONSTANT_EXPRESSION_RESULT) result_independent_of_operands: > (ipv6_hdr_get_fl(ipv6_hdr) & 255) >> 8 is 0 regardless of the values of its operands. Looking at the code, this appears to be a copy & paste error from the previous line. --- .../gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c b/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c index 6927ea004f..2beeeaf863 100644 --- a/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c +++ b/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c @@ -1033,9 +1033,9 @@ static size_t _iphc_ipv6_encode(gnrc_pktsnip_t *pkt, iphc_hdr[inline_pos++] = (uint8_t)((ipv6_hdr_get_fl(ipv6_hdr) & 0x000f0000) >> 16); } - /* copy remaining byteos of flow label */ + /* copy remaining bytes of flow label */ iphc_hdr[inline_pos++] = (uint8_t)((ipv6_hdr_get_fl(ipv6_hdr) & 0x0000ff00) >> 8); - iphc_hdr[inline_pos++] = (uint8_t)((ipv6_hdr_get_fl(ipv6_hdr) & 0x000000ff) >> 8); + iphc_hdr[inline_pos++] = (uint8_t)(ipv6_hdr_get_fl(ipv6_hdr) & 0x000000ff); } /* check for compressible next header */