kernel/linux.git/net/6lowpan/iphc.c, branch linux-7.1.yLinux kernel stable tree (mirror)https://git.radix-linux.su/kernel/linux.git/atom?h=linux-7.1.y2026-06-02T02:10:16+00:006lowpan: fix off-by-one in multicast context address compression2026-06-02T02:10:16+00:00Yizhou Zhaozhaoyz24@mails.tsinghua.edu.cn2026-05-27T08:18:01+00:00urn:sha1:2a58899d11009bffc7b4b32a571858f381121837
The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses
&data[1] as destination and &ipaddr->s6_addr[11] as source, but
both should be offset by one: &data[2] and &ipaddr->s6_addr[12]
respectively.
This off-by-one has two consequences:
1. data[1] is overwritten with s6_addr[11], corrupting the RIID
field in the compressed multicast address
2. data[5] is never written, so uninitialized kernel stack memory
is transmitted over the network via lowpan_push_hc_data(),
leaking kernel stack contents
The correct inline data layout must match what the decompression
function lowpan_uncompress_multicast_ctx_daddr() expects:
data[0..1] = s6_addr[1..2] (flags/scope + RIID)
data[2..5] = s6_addr[12..15] (group ID)
Also zero-initialize the data array as a defensive measure against
similar bugs in the future.
Fixes: 5609c185f24d ("6lowpan: iphc: add support for stateful compression")
Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Acked-by: Alexander Aring <aahringo@redhat.com>
Link: https://patch.msgid.link/20260527081806.42747-1-zhaoyz24@mails.tsinghua.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
6lowpan: Remove redundant initialisation.2023-03-29T07:22:52+00:00Kuniyuki Iwashimakuniyu@amazon.com2023-03-27T23:54:55+00:00urn:sha1:be689c719eb6153b0fbd83536ae656dca8981f12
We'll call memset(&tmp, 0, sizeof(tmp)) later.
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
6lowpan: iphc: reset mac_header after decompress to fix panic2018-07-06T10:32:12+00:00Michael Scottmichael@opensourcefoundries.com2018-06-19T23:44:06+00:00urn:sha1:03bc05e1a4972f73b4eb8907aa373369e825c252
After decompression of 6lowpan socket data, an IPv6 header is inserted
before the existing socket payload. After this, we reset the
network_header value of the skb to account for the difference in payload
size from prior to decompression + the addition of the IPv6 header.
However, we fail to reset the mac_header value.
Leaving the mac_header value untouched here, can cause a calculation
error in net/packet/af_packet.c packet_rcv() function when an
AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
interface.
On line 2088, the data pointer is moved backward by the value returned
from skb_mac_header(). If skb->data is adjusted so that it is before
the skb->head pointer (which can happen when an old value of mac_header
is left in place) the kernel generates a panic in net/core/skbuff.c
line 1717.
This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
sources for compression and decompression.
Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
Acked-by: Alexander Aring <aring@mojatatu.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
6lowpan: Use netdev addr_len to determine lladdr len2017-04-12T20:02:36+00:00Luiz Augusto von Dentzluiz.von.dentz@intel.com2017-03-12T08:19:37+00:00urn:sha1:fa09ae661fb5ab6f9826545d5128f2b7393bcf4a
This allow technologies such as Bluetooth to use its native lladdr which
is eui48 instead of eui64 which was expected by functions like
lowpan_header_decompress and lowpan_header_compress.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
6lowpan: iphc: override l2 packet information2017-04-12T20:02:36+00:00Alexander Aringaar@pengutronix.de2017-03-12T08:19:35+00:00urn:sha1:94e4a68039cc0c9d6e5cf708819cb8c7e770ebbf
The skb->pkt_type need to be set by L2, but on 6LoWPAN there exists L2
e.g. BTLE which doesn't has multicast addressing. If it's a multicast or
not is detected by IPHC headers multicast bit. The IPv6 layer will
evaluate this pkt_type, so we force set this type while uncompressing.
Should be okay for 802.15.4 as well.
Signed-off-by: Alexander Aring <aar@pengutronix.de>
Reviewed-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
6lowpan: add support for 802.15.4 short addr handling2016-06-16T03:41:24+00:00Alexander Aringaar@pengutronix.de2016-06-15T19:20:27+00:00urn:sha1:eab560e58208730ec47e1e0461b8db1049d5d176
This patch adds necessary handling for use the short address for
802.15.4 6lowpan. It contains support for IPHC address compression
and new matching algorithmn to decide which link layer address will be
used for 802.15.4 frame.
Reviewed-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Alexander Aring <aar@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
6lowpan: move mac802154 header2016-04-13T08:41:10+00:00Alexander Aringaar@pengutronix.de2016-04-11T09:04:24+00:00urn:sha1:edc73417d8f33a1dd329295275168923298d9a7b
In case of link-layer specific handling for 802.15.4 we need to cast to
802.15.4 sepcific structures. Simple add this header when include the
6lowpan header.
Signed-off-by: Alexander Aring <aar@pengutronix.de>
Reviewed-by: Stefan Schmidt<stefan@osg.samsung.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
6lowpan: move eui64 uncompress function2016-04-13T08:41:10+00:00Alexander Aringaar@pengutronix.de2016-04-11T09:04:22+00:00urn:sha1:a5862f2aba4ba53d461450685a67ae252935ab94
This function will be use in later functionality in other branches than
generic 6lowpan, so we move it to the global 6lowpan header.
Signed-off-by: Alexander Aring <aar@pengutronix.de>
Reviewed-by: Stefan Schmidt<stefan@osg.samsung.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
6lowpan: iphc: remove unnecessary zero data2016-04-13T08:41:09+00:00Alexander Aringaar@pengutronix.de2016-04-11T09:04:21+00:00urn:sha1:2bc068c3d6e1212d09c11169c699560747ef8c2b
This patch removes unnecessary zero data for a stack variable.
Signed-off-by: Alexander Aring <aar@pengutronix.de>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
6lowpan: iphc: rename add lowpan prefix2016-04-13T08:41:09+00:00Alexander Aringaar@pengutronix.de2016-04-11T09:04:20+00:00urn:sha1:7115a968b75e9f81f6f8f45b2f97b1b43e024703
This patch adds a lowpan prefix to each functions which doesn't have
such prefix currently.
Reviewed-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Alexander Aring <aar@pengutronix.de>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>