OrgZephyr/zephyr
OrgZephyr
/
zephyr
mirror of https://github.com/zephyrproject-rtos/zephyr.git
1
0
Fork 0
Code Issues Releases Wiki Activity

net: 6lo: Fix memory corruption during uncompression 

A memory corruption could happen in `uncompress_IPHC_header` function,
when data was moved to make place in the net buffer for the uncompressed
IPv6/UDP header.

The size of data being moved should only contain the original data size,
not incremented by the amount of space needed to expand the header,
which was already added to the net buffer size. In result, the `memmove`
operation could exceed the allocated net buffer and cause memory
corruption.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
This commit is contained in:
Robert Lubos 2020-01-21 16:47:37 +01:00 committed by Maureen Helm
parent 45050dda48
commit 799a8401e7
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
subsys/net/ip/6lo.c
View File

@ -1353,7 +1353,7 @@ static bool uncompress_IPHC_header(struct net_pkt *pkt)
frag = pkt->buffer;
net_buf_add(frag, diff);
cursor = frag->data + diff;
memmove(cursor, frag->data, frag->len);
memmove(cursor, frag->data, frag->len - diff);
} else {
NET_DBG("Not enough tailroom. Get new fragment");
cursor = pkt->buffer->data;