mirror/lwip
1
0
Fork 0
mirror of https://github.com/lwip-tcpip/lwip.git synced 2024-06-30 18:09:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix out-of-bound access in ip6addr_ntoa_r()

Browse Source 
When detecting that zero is single, code reads the next group even if current group is last group.

If next bytes are not-null, last zero is not omitted.

If next bytes are null, last zero is omitted, but since there are no groups left,
finishing ':' will not be written, resulting in invalid address.

This commit turns off non-single zero check for the last group.
This commit is contained in:
Sergey Fionov 2024-04-27 08:51:54 +03:00
parent f98ca529d4
commit 80e2be17ad
1 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/core/ipv6/ip6_addr.c
View File

@ -270,15 +270,16 @@ ip6addr_ntoa_r(const ip6_addr_t *addr, char *buf, int buflen)
/* Check for empty block. */
if (current_block_value == 0) {
if (current_block_index == 7 && empty_block_flag == 1) {
/* special case, we must render a ':' for the last block. */
buf[i++] = ':';
if (i >= buflen) {
return NULL;
if (current_block_index == 7) {
if (empty_block_flag == 1) {
/* special case, we must render a ':' for the last block. */
buf[i++] = ':';
if (i >= buflen) {
return NULL;
}
break;
}
break;
}
if (empty_block_flag == 0) {
} else if (empty_block_flag == 0) {
/* generate empty block "::", but only if more than one contiguous zero block,
* according to current formatting suggestions RFC 5952. */
next_block_value = lwip_htonl(addr->addr[(current_block_index + 1) >> 1]);