Re: [PATCH net] 6lowpan: fix off-by-one in multicast context address compression

From: patchwork-bot+netdevbpf@kernel.org
Date: 2026-06-02 02:30:03
Also in: linux-bluetooth, lkml

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski [off-list ref]:

On Wed, 27 May 2026 16:18:01 +0800 you wrote:

The second memcpy in lowpan_iphc_mcast_ctx_addr_compress() uses
&data[1] as destination and &ipaddr->s6_addr[11] as source, but
both should be offset by one: &data[2] and &ipaddr->s6_addr[12]
respectively.

This off-by-one has two consequences:
1. data[1] is overwritten with s6_addr[11], corrupting the RIID
   field in the compressed multicast address
2. data[5] is never written, so uninitialized kernel stack memory
   is transmitted over the network via lowpan_push_hc_data(),
   leaking kernel stack contents

[...]

Here is the summary with links:
  - [net] 6lowpan: fix off-by-one in multicast context address compression
    https://git.kernel.org/netdev/net/c/2a58899d1100

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help