From 80e2be17ad32308c2c2eb283ccc8bb04bd38d39c Mon Sep 17 00:00:00 2001 From: Sergey Fionov Date: Sat, 27 Apr 2024 08:51:54 +0300 Subject: [PATCH] Fix out-of-bound access in ip6addr_ntoa_r() When detecting that zero is single, code reads the next group even if current group is last group. If next bytes are not-null, last zero is not omitted. If next bytes are null, last zero is omitted, but since there are no groups left, finishing ':' will not be written, resulting in invalid address. This commit turns off non-single zero check for the last group. --- src/core/ipv6/ip6_addr.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/src/core/ipv6/ip6_addr.c b/src/core/ipv6/ip6_addr.c index 6e0ac86b..48e0d639 100644 --- a/src/core/ipv6/ip6_addr.c +++ b/src/core/ipv6/ip6_addr.c @@ -270,15 +270,16 @@ ip6addr_ntoa_r(const ip6_addr_t *addr, char *buf, int buflen) /* Check for empty block. */ if (current_block_value == 0) { - if (current_block_index == 7 && empty_block_flag == 1) { - /* special case, we must render a ':' for the last block. */ - buf[i++] = ':'; - if (i >= buflen) { - return NULL; + if (current_block_index == 7) { + if (empty_block_flag == 1) { + /* special case, we must render a ':' for the last block. */ + buf[i++] = ':'; + if (i >= buflen) { + return NULL; + } + break; } - break; - } - if (empty_block_flag == 0) { + } else if (empty_block_flag == 0) { /* generate empty block "::", but only if more than one contiguous zero block, * according to current formatting suggestions RFC 5952. */ next_block_value = lwip_htonl(addr->addr[(current_block_index + 1) >> 1]);