Fix out-of-bound access in ip6addr_ntoa_r()

When detecting that zero is single, code reads the next group even if current group is last group. If next bytes are not-null, last zero is not omitted. If next bytes are null, last zero is omitted, but since there are no groups left, finishing ':' will not be written, resulting in invalid address. This commit turns off non-single zero check for the last group.
lwip-tcpip · Apr 27, 2024 · 80e2be1 · 80e2be1
1 parent f98ca52
commit 80e2be1
Showing 1 changed file with 9 additions and 8 deletions.
diff --git a/src/core/ipv6/ip6_addr.c b/src/core/ipv6/ip6_addr.c
@@ -270,15 +270,16 @@ ip6addr_ntoa_r(const ip6_addr_t *addr, char *buf, int buflen)
 
     /* Check for empty block. */
     if (current_block_value == 0) {
-      if (current_block_index == 7 && empty_block_flag == 1) {
-        /* special case, we must render a ':' for the last block. */
-        buf[i++] = ':';
-        if (i >= buflen) {
-          return NULL;
+      if (current_block_index == 7) {
+        if (empty_block_flag == 1) {
+          /* special case, we must render a ':' for the last block. */
+          buf[i++] = ':';
+          if (i >= buflen) {
+            return NULL;
+          }
+          break;
         }
-        break;
-      }
-      if (empty_block_flag == 0) {
+      } else if (empty_block_flag == 0) {
         /* generate empty block "::", but only if more than one contiguous zero block,
          * according to current formatting suggestions RFC 5952. */
         next_block_value = lwip_htonl(addr->addr[(current_block_index + 1) >> 1]);