lwip-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #39956] netif_create_ip6_linklocal_address out of boun


From: Chris Luke
Subject: [lwip-devel] [bug #39956] netif_create_ip6_linklocal_address out of bounds access of netif::hwaddr
Date: Sun, 24 Aug 2014 22:40:03 +0000
User-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.8 Safari/537.36

Follow-up Comment #1, bug #39956 (project lwip):

_gcc_ with certain options will warn on this overflow, eg:


arm-none-eabi-gcc -Idist/laureline-v3.0-13-g8a7d4f6-dirty -Isrc -Isrc/conf
-I./lib -I./lib/lwip -I./ports -I./CoOS/kernel -I./CoOS/portable
-I./lwip/src/include -I./lwip/src/include/ipv4 -I./lwip/src/include/ipv6 -Wall
-Wextra -Wstrict-prototypes -Wno-unused-parameter -Wno-main -Wno-address
-mcpu=cortex-m3 -mthumb -mno-thumb-interwork -DTHUMB_NO_INTERWORKING -Os
-fomit-frame-pointer -Werror -ggdb3 -MD -MP -MF
dist/laureline-v3.0-13-g8a7d4f6-dirty/./lwip/src/core/netif.o.d
-ffunction-sections -fdata-sections -fno-common -falign-functions=16
lwip/src/core/netif.c -c -o
dist/laureline-v3.0-13-g8a7d4f6-dirty/./lwip/src/core/netif.o
lwip/src/core/netif.c: In function 'netif_create_ip6_linklocal_address':
lwip/src/core/netif.c:917:68: error: iteration 6u invokes undefined behavior
[-Werror=aggressive-loop-optimizations]
       netif->ip6_addr[0].addr[addr_index] |=
((u32_t)(netif->hwaddr[netif->hwaddr_len - i - 1])) << (8 * (i & 0x03));
                                                                    ^
lwip/src/core/netif.c:913:5: note: containing loop
     for (i = 0; i < 8; i++) {
     ^
cc1: all warnings being treated as errors


It's entirely because of the incorrect assumption on the size of _hwaddr_.

This possibly naive diff resolves the compiler issue:


diff --git a/src/core/netif.c b/src/core/netif.c
index 36e801b..d655471 100644
--- a/src/core/netif.c
+++ b/src/core/netif.c
@@ -910,7 +910,7 @@ netif_create_ip6_linklocal_address(struct netif * netif,
u8_t from_mac_48bit)
     netif->ip6_addr[0].addr[3] = 0;
 
     addr_index = 3;
-    for (i = 0; i < 8; i++) {
+    for (i = 0; i < netif->hwaddr_len; i++) {
       if (i == 4) {
         addr_index--;
       }


But, like the rest of that loop, it assumes the lower half of the address is
all 0 already.


    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?39956>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]