-
Notifications
You must be signed in to change notification settings - Fork 396
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix out-of-bound access in ip6addr_ntoa_r() #29
base: master
Are you sure you want to change the base?
Conversation
break; | ||
} | ||
if (empty_block_flag == 0) { | ||
} else if (empty_block_flag == 0) { | ||
/* generate empty block "::", but only if more than one contiguous zero block, | ||
* according to current formatting suggestions RFC 5952. */ | ||
next_block_value = lwip_htonl(addr->addr[(current_block_index + 1) >> 1]); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out-of-bounds access is happened here.
The updated test is still passing when skipping the ip6_addr code change. Can you split into a commit with a failing test and then the change that fixes it? |
When detecting that zero is single, code reads the next group even if current group is last group. If next bytes are not-null, last zero is not omitted. If next bytes are null, last zero is omitted, but since there are no groups left, finishing ':' will not be written, resulting in invalid address. This commit turns off non-single zero check for the last group.
07ec589
to
80e2be1
Compare
@yarrick Done, split into two commits |
The test still passes when applied on top of the current code |
@yarrick What platform do you use? I originally detected this issue when arm64 musl-gcc 13.2 refused to compile code with -Wall -Wextra. And test fails on arm64 macOS without patch. |
I run on Linux on x86_64 (Fedora 40) |
When detecting that zero is single, code reads the next group even if current group is last group.
If next bytes are non-null, last zero is not omitted.
If next bytes are null, last zero is omitted, but since there are no groups left, finishing ':' will not be written, resulting in invalid address.
This commit turns off non-single zero check for the last group.